On Fri, Mar 26, 2010 at 10:22:06AM -0400, Peter Gutmann wrote: > I missed that in his blog post as well. An equally big one is the SSHv2 > rekeying fiasco, where for a long time an attempt to rekey across two > different implementations typically meant "drop the connection", and it still > does for the dozens(?) of SSH implementations outside the mainstream of > OpenSSH, Putty, ssh.com and a few others, because the procedure is so complex > and ambiguous that only a few implementations get it right (at one point the > ssh.com and OpenSSH implementations would detect each other and turn off > rekeying because of this, for example). Unfortunately in SSH you're not even > allowed to ignore rekey requests like you can in TLS, so you're damned if you > do and damned if you don't [0].
I made much the same point, but just so we're clear, SSHv2 re-keying has been interoperating widely since 2005. (I was at Connectathon, and while the details of Cthon testing are proprietary, I can generalize and tell you that interop in this area was very good.) Nico -- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com