Re: applying AES-GCM to secure shell: proposed "tweak"

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Thu, Apr 16, 2009 at 10:50:10AM -0400, Jeffrey Hutzelman wrote:
> --On Thursday, April 16, 2009 09:30:30 AM -0500 Nicolas Williams 
> <Nicolas.Williams%sun.com@localhost> wrote:
> 
> >On Thu, Apr 16, 2009 at 10:20:46AM -0400, Jeffrey Hutzelman wrote:
> >>--On Thursday, April 16, 2009 09:04:35 AM -0500 Nicolas Williams
> >><Nicolas.Williams%sun.com@localhost> wrote:
> >>
> >>> This is a separate issue.  Remove AEAD and you don't interop.  Add AEAD
> >>> with my rule and you still don't interop.  To improve the situation we
> >>> need to twist the KEXINIT abstraction a bit more (no objections from
> >>> me): IF a non-AEAD cipher is chosen AND there was no common MAC AND
> >>> there was a common AEAD cipher THEN re-compute the cipher selection
> >>> ignoring all non-AEAD ciphers.
> >>
> >>Ugh.  This is starting to get complicated.
> >
> >No, it's not.  I'm perfectly happy to have the problem that Niels
> >pointed out.
> 
> Yes, it is.  The twist you describe is complicated.  It's a funny special 
> case.  What's going to happen when we have another funny special case?

Like I said: I'm happy to have that problem.  But also, we are not
likely to have a new funny special case soon enough that we can't, in
the interim work out a generic KEX extensibility scheme.