I just read the draft. Lots and lots of bit twiddling, 0 < x < 192 if
this bit is set, then 2 << x-192+y if this bit set, 8 bit proprietry
floating point format, the legacy length of length bit twiddling (0 in
two bit field masked out of CTB is 1 byte length field, 1 is 2 byte, 2
is 3 byte 3 is undefined).
Arrrgh!
All this bit twiddling and little hacks to scrimp on an extra bit here
and there is dangerous! Which hacker is it at PGP Inc that thrives on
these bit twiddling hacks? Come one 'fess up!
It adds complexity all over the place, introduces numerous extra
branches and possible failure points in the code... the likely coding
failures could turn out to adversely affect security.
To test all of the decision points in your software to check for
correct operation, you construct test messages, and run a test job to
exercise branches -- with all the extra conditions and combinations
introduced by the bit twiddling it adds significant extra risk of a
coding error slipping through.
Also (thinking of the notional smart card hacker that Jon mentioned)
bit twiddling causes code bloat, and performance degradation.
Simplicity is important for security software. Add no more complexity
than absolutely necessary.
Simplicity is also important if we want people to implement to the
standard.
I hereby call for length fields to be universally encoded as a 32 bit
integer. And all the above bit twiddling to be trashed. Relegate LOL
(length of length) and all the other length bit twiddling to MAY for
backwards compatibility.
I would also argue for scrapping the non standard CFB hack (resyncing
on semantic boundaries) and putting in place standard
cipher-block-sized CFB.
I'll relay a little hacking I did. I coded up an RSA and IDEA
encryption app. I did the obvious things, used 32 bit length fields,
whole byte (gasp the extravagance, a whole 8 bits!) packet types, 64
bit CFB etc. I used bits of SSLeay for bigints, the rest I coded
myself. Took me about a week in total.
It took me as long to frig with the bit twiddling that gives the
bit-fetishist at PGP jollies (and diddling with the non standard CFB
mode) to get it so that PGP could decode conventional encrypted
messages my app created as it did to code the app!
I expect other people will rediscover this experience if we keep this
hand huffman encoding mentality in the standard.
The last time I vented about this issue (I think on this list) someone
relayed that at PGP they had gone stomping around the office singing
"every bit you save, we'll be watching you,..." to the tune of the
"every move you make, ..." melody.
Adam