On Fri, Mar 26, 2010 at 10:22:06AM -0400, Peter Gutmann wrote:
> I missed that in his blog post as well.  An equally big one is the SSHv2
> rekeying fiasco, where for a long time an attempt to rekey across two
> different implementations typically meant "drop the connection", and it still
> does for the dozens(?) of SSH implementations outside the mainstream of
> OpenSSH, Putty, ssh.com and a few others, because the procedure is so complex
> and ambiguous that only a few implementations get it right (at one point the
> ssh.com and OpenSSH implementations would detect each other and turn off
> rekeying because of this, for example).  Unfortunately in SSH you're not even
> allowed to ignore rekey requests like you can in TLS, so you're damned if you
> do and damned if you don't [0].

I made much the same point, but just so we're clear, SSHv2 re-keying has
been interoperating widely since 2005.  (I was at Connectathon, and
while the details of Cthon testing are proprietary, I can generalize and
tell you that interop in this area was very good.)


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to