ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Further deprecating PGP2

2003-03-10 13:17:35
from [David Shaw] [Permanent Link] 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Mar 10, 2003 at 02:18:04PM -0500, Jeroen van Gelderen wrote:


Ah, thanks for the use case. I think I understand. I think that could 
be achieved by you using an OpenPGP program that MAY support IDEA 
decryption, no?

"An OpenPGP MAY support decryption of IDEA-encrypted messages but MUST 
NOT generate them."

Or if that really, really is considered too weak: "An OpenPGP 
implementation SHOULD support decryption of IDEA-encrypted messages but 
MUST NOT generate them."

Is there any objection to the MUST NOT bit? I would think that 
addressing Derek's use case removes any barrier for people to upgrade 
to a recent OpenPGP implementation. And in that case we should really 
kill of the support for those who insist on using outdated software. We 
don't want to support Mediacrypt until 2011.

Killing of the sending of IDEA-encrypted messages also addresses my 
concern: I will be able to decrypt any OpenPGP message sent to me 
without being legally required to pay IDEA licensing fees. And Derek 
can keep reading his existing mail.


I'm not sure if I understand this comment.  Can you clarify?  A
message encrypted by an OpenPGP program to an OpenPGP key "MUST NOT
use a symmetric algorithm that is not in the recipient's preference
list." (section 12.1) If you don't have a preference for IDEA, then
anyone sending you an OpenPGP message that uses IDEA is already
non-compliant.

You could be sent a PGP 2.x message that uses IDEA, but PGP 2.x isn't
subject to the OpenPGP spec.

That said, I do support removing the SHOULD from IDEA (and the current
draft has already done this).  I also support deprecating the PGP 2.x
features in OpenPGP in general.  Any program that wants to implement
PGP 2.x functionality can still do that without affecting their
OpenPGP compliance.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+bPKP4mZch0nhy8kRAlXJAKDg2e0qwksbHLHqxQU+fOWtsEqEegCeMNjM
k0h8TF8TITrIHQ/kQJlcJP8=
=ZhTK
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Further deprecating PGP2, Jeroen van Gelderen
Next by Date:  Re: Further deprecating PGP2, Jeroen van Gelderen
Previous by Thread:  Re: Further deprecating PGP2, Jeroen van Gelderen
Next by Thread:  Re: Further deprecating PGP2, Jeroen van Gelderen
Indexes:  [Date] [Thread] [Top] [All Lists]