Re: Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

>...I don't see any need to name-and-shame on such a list.  It's the
>misbehaviour, not whose implementation exhbits it, that matters for
>implementation purposes.

It's not so much concerns about name-and-shame, it's that it's
impossible not to name vendors when you need to know whose SSH ID
to check for to add a workaround.  So it's pretty much something that 
can't be discussed in public for most people.

>Yes, I would support - and participate in, provided it isn't done in 
>a way that ends up excluding me - such an effort. 

I wasn't necessarily thinking a full email list, that's way too
organised, just a list of CC: addresses of people who'd be willing to
share info.  So far we've got you, me, and Denis AFAIK.

>It also might be interesting to do interop testing. 

Or just some agreement to run an instance of your implementation at
some fixed location so people could bounce messages off it.

Peter.