-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Mar 10, 2003 at 04:03:17PM -0500, Jeroen van Gelderen wrote:
On Monday, Mar 10, 2003, at 15:16 US/Eastern, David Shaw wrote:
Killing of the sending of IDEA-encrypted messages also addresses my
concern: I will be able to decrypt any OpenPGP message sent to me
without being legally required to pay IDEA licensing fees. And Derek
can keep reading his existing mail.
I'm not sure if I understand this comment. Can you clarify? A
message encrypted by an OpenPGP program to an OpenPGP key "MUST NOT
use a symmetric algorithm that is not in the recipient's preference
list." (section 12.1) If you don't have a preference for IDEA, then
anyone sending you an OpenPGP message that uses IDEA is already
non-compliant.
I guess I'm happy then :)
Is a PGP2 key with IDEA listed as its single preferred algorithm
considered an OpenPGP key? (I hope not, otherwise I still can't send
all OpenPGP messages without a license.)
PGP 2.x keys don't have preferences. It is possible to "upgrade" a
PGP 2.x key with an OpenPGP self-signature and thus gain a preference
list. In that case, I'd argue that the key should be treated as an
OpenPGP key, which means that a preference list consisting of only
"IDEA" would be interpreted as "IDEA or 3DES". This is how GnuPG
handles this case, by the way.
I also support deprecating the PGP 2.x
features in OpenPGP in general. Any program that wants to implement
PGP 2.x functionality can still do that without affecting their
OpenPGP compliance.
Except if IDEA is marked as MUST NOT, right? So I should retract that
particular proposal.
If a program implements both RFC-1991 and OpenPGP, and RFC-1991
requires IDEA, and OpenPGP requires no IDEA.... well, we could really
tie some people in knots. It's really just word games though: does
the "OpenPGP side" of the program have IDEA? No, but...
SHOULD NOT, with an explantion of why, sounds good to me.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc
iD8DBQE+bQMe4mZch0nhy8kRAm8qAJ0TvTVPY5XWFWGqIWANGdDdNw29ogCgr7dU
RZcLCgyRvG90WJQOeiizpYE=
=B8CX
-----END PGP SIGNATURE-----