On Mar 16, 2015, at 7:10 PM, Peter Gutmann
<pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz> wrote:
The whole bizarro sort-of-fixed-point encoding of lengths is a pain (this is a
cue for Jon to do his "every bit is sacred" dance). If the format is revised,
there should be only two lengths, a 16-bit one for almost everything (keyring
data, signatures, etc), and a 32-bit one for payloads and partial lengths that
are going to exceed 16-bit lengths.
Okay... NOOOOOOOOO!!!!! For the love of God, Montressor, only *one* type of
length. You’re spending more space in the parsing code and sooner or later,
someone’s going to screw it up and there will be a stupid ass security problem
that could have been solved by just spending the two damned extra bytes.
While I'm venting, shall I get started on the MDC kludge?
Sure. Go right ahead.
But when you do, take into account that MDC pre-dates HMAC and at the time, one
of the major objections was a "why would you want to have symmetric crypto
protection when you could just sign it" whine, and the other was excessive
worry about single-pass processing that got so irrational we couldn’t work
through it.
Standards are compromises, and a good compromise leaves everyone a bit grumpy.
Since those days, I’ve developed an affection for MDC because it sits in a
nether world where related concepts like deniable encryption that also sound
good until you think about them for long enough. And it doesn’t hurt anything,
because if you really want it protected, just sign the darned thing.
But please, please, go right ahead.
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp