Re: applying AES-GCM to secure shell: proposed "tweak"

[der Mouse <mouse%Rodents-Montreal.ORG@localhost>]

>> To improve the situation we need to twist the KEXINIT abstraction a
>> bit more [...]  IF a non-AEAD cipher is chosen AND there was no
>> common MAC AND there was a common AEAD cipher THEN re-compute the
>> cipher selection ignoring all non-AEAD ciphers.

This rule interacts very badly with the implementation of
any other encryption algorithm that similarly wants to ignore MACs,
especially if it defines an analogous rule.

> Ugh.  This is starting to get complicated.

Indeed.  My "next special case" has shown up already and the first one
hasn't even been settled yet.  I stand by my stance that this approach
will rapidly turn kex into an incomprehensible (and, of course,
unmaintainable) mess of cross-linked dependencies.

For implementers who are determined to do it anyway - don't forget,
when deciding what to implement, to also think about interop with
implementations that haven't heard of, or decided not to implement,
whatever you settle on.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B