I think (B) is much more likely than (A) - and I have experienced it myself; I have never experienced (A).
Fair enough.
comments from people other than you, me, and Joel on this point. I do agree that solving it requires extending the keyex protocol, probably along one of the three general paths I described in my message, none of which are terribly appealing to me. I believe the bar to be passed before solving this problem should be rather high.I agree, but I think we MUST fix the transport I-D wrt KEXINIT extensibility. If we do that now then we can wait till later to solve (A) and/or (B).
Yes, definitely.
Before we do either we really ought to fix the transport I-D wrt KEXINIT extensibility, and in the process find out what implementations do today about extended KEXINITs. Though I've proposed the alg aliases/bogus alg approach I think extending KEXINIT is the right approach and the clean approach.
Yes, extending KEXINIT is definitely cleaner.