At the Washington meeting, two related topics came up. One was the marker
packet -- there was a suggestion that the market packet body be allowed to
hold a manufacturer's string; presently, it is mandated to be the string
"PGP". Jeff Schiller pointed out that there is a potential security flaw in
this, that it can be send information that weakens or nullifies the
encryption. He recommended that we make it be a constant to prevent misuse.
I pointed out that there was also the comment packet, which has changed its
opcode number. He recommended that it be eliminated for the same reasons,
and no one objected.
RFC1991 says it's never been implemented. If anyone *has* implemented it,
it will break between OpenPGP and previous versions.
With Lutz's message, it sounds like he's implemented it. Has anyone else
implemented it? Does anyone want to argue why it should be there, or pick
up the argument on eliminating it?
Jon Callas jon(_at_)pgp(_dot_)com
CTO, Total Network Security 4200 Bohannon Drive
Network Associates, Inc. Menlo Park, CA 94025
Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS)
665B 797F 37D1 C240 53AC 6D87 3A60 4628 (RSA)