[noise] "have one joint and keep it oiled"

David Wong davidwong.crypto at gmail.com
Fri Dec 29 03:12:26 PST 2017

> Handshake payloads are (often) encrypted, so making them extensible is
> maybe less about middleboxes and more about not painting yourself into
> a corner where you'd like to extend your protocol but can't.

This related comment on SSHv2 is interesting as well:

> Similar rusting has happened in SSH v2 and has required "innovative
approaches" (e.g. using a field not originally intended for this purpose)
to add an extension mechanism
<https://tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info-15>. The
original extension field in SSH_MSG_KEXINIT cannot be used because even
though the spec defined it this way

> uint32       0 (reserved for future extension)

> ... some implementations misinterpreted this and are not only sending a
0, but also *checking* that they receive a 0 (mighty support for "future
extension"!). Another doesn't make an explicit check but assumes it's 0 and
miscalculates the key exchange if it's not.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20171229/9c4f179d/attachment.html>

More information about the Noise mailing list