Re: Authenticated cipher modes

["Sara Golemon" <ietf-secsh%libssh2.org@localhost>]

> transport-24, section 9, second paragraph, fourth sentence:
>
>                                                    It is permissible to
>    change some or all of the algorithms during the re-exchange.
>
Thanks!

> >Taking another tack, how about a psuedo-mac?  e.g. none-ocb  Which is
"none
> >MAC available only when coupled with an ocb cipher".  This could be
placed
> >at the front of the methods list (avoiding any major changes to the
> >selection criteria), but its use would be dependant on the selected
cipher.
> >This is similar to the coupling between kex method and hostkey method (If
> >kex requires an encryption capable hostkey method, then signing only
methods
> >are ignored).
>
> I don't think there's anything intrinsically wrong with that idea, but I
> don't see that it has any advantage over having OCB just override the
> selected MAC (which is equivalent to always having "none-ocb" at the start
> of the MAC list).  Are there circumstances where one might want to use OCB
> (or similar) with an external MAC?
>
I can't honestly imagine any.  Both methods rely on understanding of one
assumption or another.   The only real difference is that one is implicit,
the other is explicit.  I'm just offering my thoughts to the discussion for
whatever they're worth.

-Sara