[plug] SSH v2 protocol: easy solution

Christian christian at amnet.net.au
Thu Jul 13 11:49:44 WST 2000


On Thu, Jul 13, 2000 at 11:28:22AM +0800, Colin Muller wrote:
> > My point is based on the comments in the article referred to in my first
> > post in this thread.  According to that article the IETF standardisation
> > appeared not to be progressing
> 
> That's a genuine problem.

Upon looking up the copy of the Internet Draft that I have, I found it
dated 11 May 2000 which strongly suggests that the journalist who wrote
the article didn't do a great deal of research on this matter.  This
indicates (hopefully) that the standardisation of SSH is progressing
after all. :-)

> > and that incompatibilities were being
> > discovered between multiple implementations of protocol v2.
> 
> And that's not a problem - not in itself, anyway. It's a normal part of
> the IETF process, which requires two independent implementations of
> anything to be available. I imagine this requirement is precisely
> because initial implementations are bound to differ, and the reasons for
> this (e.g. imprecision in the draft spec) need to become understood and
> fixed before progress towards a standard can continue. If, as you say,
> the spec is not being fixed, then that's a problem.

My major concern isn't even interoperability.  It's more that if people
aren't keeping to the specification (assuming one exists) then it's more
than possible that the resulting deviation will introduce security
vulnerabilities.  Even tiny changes to such a protocol can obviate any
and all security.

 
> And that I agree is a huge problem. But surely widespread use of OpenSSH
> as suggested by Leon is the single thing most likely to jolt the process
> into action again?

Possibly.  Or suggest to SSH Communications Security Inc. to abandon the
standardisation process while they still have market share to leverage.
If the protocol is never standardised then they would have more chance
of keeping users while, on the other hand, an open standard would allow
free implementations to flourish.  If the protocol is not openly
specified, subjected to proper peer review and then implemented as per
the specification then it is probably not something to depend on in the
long-run regardless of whether OpenSSH is the dominant version or not.

Regards,

Christian.



More information about the plug mailing list