-Currently, the low 16 bits are allocated for negotiating bulk-crypto
-transforms. Bits 8 to 15 are used by Secnet as default capability
-numbers for the various kinds of transform closures: bit 8 is for the
-original CBCMAC-based transform, and bit 9 for the new EAX transform;
-bits 10 to 15 are reserved for future expansion. The the low eight bits
-are reserved for local use, e.g., to allow migration from one set of
-parameters for a particular transform to a different, incompatible set
-of parameters for the same transform. The high 16 bits have not yet
-been assigned a purpose.
-
-No early capability bits are currently defined.
+Capability bits 8 to 31 are used by Secnet as default capability numbers
+for various features: bit 8 is for the original CBCMAC-based transform,
+and bit 9 for the new EAX transform; bit 10 for traditional finite-field
+Diffie--Hellman; bits 11 to 14 and 16 to 30 are reserved for future
+expansion. The the low eight bits are reserved for local use, e.g., to
+allow migration from one set of parameters for a particular transform to
+a different, incompatible set of parameters for the same transform. Bit
+31, if advertised by both ends, indicates that a mobile end gets
+priority in case of crossed MSG1.
+
+Bit 15 is special: it signifies (a) that the sender is reporting all of
+its transforms and DH groups explicitly, and (b) that it uses all 32
+capability bits to do so. Older Secnets only checked the low 16 bits
+for known capabilities.
+
+Whether a capability number is early depends on its meaning, rather than
+being a static property of its number. That said, the mobile-end-gets
+priority bit (31) is always sent as an `early' capability bit.
~mdw / secnet / blobdiff