Re: applying AES-GCM to secure shell: proposed "tweak"

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Thu, Apr 16, 2009 at 10:20:46AM -0400, Jeffrey Hutzelman wrote:
> --On Thursday, April 16, 2009 09:04:35 AM -0500 Nicolas Williams 
> <Nicolas.Williams%sun.com@localhost> wrote:
> 
> >This is a separate issue.  Remove AEAD and you don't interop.  Add AEAD
> >with my rule and you still don't interop.  To improve the situation we
> >need to twist the KEXINIT abstraction a bit more (no objections from
> >me): IF a non-AEAD cipher is chosen AND there was no common MAC AND
> >there was a common AEAD cipher THEN re-compute the cipher selection
> >ignoring all non-AEAD ciphers.
> 
> Ugh.  This is starting to get complicated.

No, it's not.  I'm perfectly happy to have the problem that Niels
pointed out.

Nico
--