"Against Rekeying"
Nicolas Williams
Nicolas.Williams at Sun.COM
Fri Mar 26 13:02:35 EDT 2010
On Fri, Mar 26, 2010 at 10:22:06AM -0400, Peter Gutmann wrote:
> I missed that in his blog post as well. An equally big one is the SSHv2
> rekeying fiasco, where for a long time an attempt to rekey across two
> different implementations typically meant "drop the connection", and it still
> does for the dozens(?) of SSH implementations outside the mainstream of
> OpenSSH, Putty, ssh.com and a few others, because the procedure is so complex
> and ambiguous that only a few implementations get it right (at one point the
> ssh.com and OpenSSH implementations would detect each other and turn off
> rekeying because of this, for example). Unfortunately in SSH you're not even
> allowed to ignore rekey requests like you can in TLS, so you're damned if you
> do and damned if you don't [0].
I made much the same point, but just so we're clear, SSHv2 re-keying has
been interoperating widely since 2005. (I was at Connectathon, and
while the details of Cthon testing are proprietary, I can generalize and
tell you that interop in this area was very good.)
Nico
--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list