[noise] "have one joint and keep it oiled"
davidwong.crypto at gmail.com
Fri Dec 29 03:12:26 PST 2017
> Handshake payloads are (often) encrypted, so making them extensible is
> maybe less about middleboxes and more about not painting yourself into
> a corner where you'd like to extend your protocol but can't.
This related comment on SSHv2 is interesting as well:
> Similar rusting has happened in SSH v2 and has required "innovative
approaches" (e.g. using a field not originally intended for this purpose)
to add an extension mechanism
original extension field in SSH_MSG_KEXINIT cannot be used because even
though the spec defined it this way
> uint32 0 (reserved for future extension)
> ... some implementations misinterpreted this and are not only sending a
0, but also *checking* that they receive a 0 (mighty support for "future
extension"!). Another doesn't make an explicit check but assumes it's 0 and
miscalculates the key exchange if it's not.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Noise