[145200] in cryptography@c2.net mail archive
Re: "Against Rekeying"
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Fri Mar 26 18:26:22 2010
Date: Fri, 26 Mar 2010 12:02:35 -0500
From: Nicolas Williams <Nicolas.Williams@Sun.COM>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <87d3yr9n8x.fsf@snark.cb.piermont.com>
On Fri, Mar 26, 2010 at 10:22:06AM -0400, Peter Gutmann wrote:
> I missed that in his blog post as well. An equally big one is the SSHv2
> rekeying fiasco, where for a long time an attempt to rekey across two
> different implementations typically meant "drop the connection", and it still
> does for the dozens(?) of SSH implementations outside the mainstream of
> OpenSSH, Putty, ssh.com and a few others, because the procedure is so complex
> and ambiguous that only a few implementations get it right (at one point the
> ssh.com and OpenSSH implementations would detect each other and turn off
> rekeying because of this, for example). Unfortunately in SSH you're not even
> allowed to ignore rekey requests like you can in TLS, so you're damned if you
> do and damned if you don't [0].
I made much the same point, but just so we're clear, SSHv2 re-keying has
been interoperating widely since 2005. (I was at Connectathon, and
while the details of Cthon testing are proprietary, I can generalize and
tell you that interop in this area was very good.)
Nico
--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
