Re: applying AES-GCM to secure shell: proposed "tweak"

To: ietf-ssh%NetBSD.org@localhost
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Fri, 10 Apr 2009 01:48:01 -0400 (EDT)

> Given that key exchange is not retriable I think the best thing to do
> is to ignore [the currently-0 last field of SSH_MSG_KEXNIIT] and
> always place a zero there until we define its meaning.  That will
> allow us to use it to negotiate new features when both the client and
> server advertise them (non-zero values).

Not without breaking interoperability with existing implementations
that check that the field is zero.

Or do you maintain that there are no such?  Or that interoperability
with them doesn't matter?  I find the latter severely busted and the
former unlikely, especially since the spec does not even suggest, much
less specify, behaviour for an implementation which encounters a value
for that field that it doesn't understand.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Follow-Ups:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams

References:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Joseph Galbraith
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: der Mouse
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index