Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]

To: ietf-ssh%netbsd.org@localhost
Subject: Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]
From: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Mon, 27 Mar 2017 18:04:59 -0400 (EDT)

>>> For the most recent example, an older version of a popular library
>>> used to have the "maximum channel packet size" concept completely
>>> borked up.  For a channel opened by the remote party, this library
>>> would overwrite its own maximum packet size with the remote one.
>> It seems like every implementer has stories like this, but no-one
>> can really mention them in public because you don't want to
>> embarrass a particular vendor...

Well, in many cases.  I, for example, am not at all chary about naming
OpenSSH as the implementation whose misfeature prompted me to add
-share-number to moussh (even the moussh manpage does so), and I'd name
the vendor of the devices whose implementation crashed when given
string@domianname extensions if I remembered it (and were sure I
rememebred it right).  But I can certainly understand at least a few of
the reasons not everyone is as willing as I am to do that.

However...

>> would there be any interest in having a private list of email
>> addresses of people to exchange information like this with?

...I don't see any need to name-and-shame on such a list.  It's the
misbehaviour, not whose implementation exhbits it, that matters for
implementation purposes.

There might perhaps be value in an implementation with options to make
it exhibit various kinds of misbehaviour, for testing against.  (I'm
tempted to turn moussh into such a one, but now is not a good time for
me to be taking on more timesinks.)

> That sounds like a good idea. I would be interested to follow and
> participate.

Me too.

> The obstacle seems to be getting people together.  Those of us
> whoâ??ve been around for 15 years may be on this mailing list.  Iâ??m
> not sure if this is true for authors of newer implementations, who
> might benefit from this information most.

I'm not sure either.  Perhaps if the list were archived and the
archives were up somewhere on the Web, the new crowd who expects
everything to be Web this and Web that might be able to find it?

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Follow-Ups:
- Re: Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]
  - From: Peter Gutmann
- Re: Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]
  - From: Darren Tucker

References:
- Fixing exchange of host keys in the SSH key exchange
  - From: denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key exchange
  - From: Mouse
- Re: Fixing exchange of host keys in the SSH key exchange
  - From: denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key exchange
  - From: Mouse
- Re: Fixing exchange of host keys in the SSH key exchange
  - From: denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key exchange
  - From: Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key exchange
  - From: denis bider (Bitvise)

Prev by Date: Re: Fixing exchange of host keys in the SSH key exchange
Next by Date: Re: Fixing exchange of host keys in the SSH key exchange
Previous by Thread: Re: Fixing exchange of host keys in the SSH key exchange
Next by Thread: Re: Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]
Indexes:

Home | Main Index | Thread Index | Old Index