"Against Rekeying"

Nicolas Williams Nicolas.Williams at Sun.COM
Fri Mar 26 13:02:35 EDT 2010

On Fri, Mar 26, 2010 at 10:22:06AM -0400, Peter Gutmann wrote:
> I missed that in his blog post as well.  An equally big one is the SSHv2
> rekeying fiasco, where for a long time an attempt to rekey across two
> different implementations typically meant "drop the connection", and it still
> does for the dozens(?) of SSH implementations outside the mainstream of
> OpenSSH, Putty, ssh.com and a few others, because the procedure is so complex
> and ambiguous that only a few implementations get it right (at one point the
> ssh.com and OpenSSH implementations would detect each other and turn off
> rekeying because of this, for example).  Unfortunately in SSH you're not even
> allowed to ignore rekey requests like you can in TLS, so you're damned if you
> do and damned if you don't [0].

I made much the same point, but just so we're clear, SSHv2 re-keying has
been interoperating widely since 2005.  (I was at Connectathon, and
while the details of Cthon testing are proprietary, I can generalize and
tell you that interop in this area was very good.)


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list