-----BEGIN PGP SIGNED MESSAGE-----
In
<3(_dot_)0(_dot_)5(_dot_)32(_dot_)19980320234202(_dot_)009a4100(_at_)popd(_dot_)ix(_dot_)netcom(_dot_)com>,
on 03/20/98
at 11:42 PM, Bill Stewart <bill(_dot_)stewart(_at_)pobox(_dot_)com> said:
I agree with Jon Callas here - the list of symmetric algorithm
preferences indicates which algorithms the recipient is prepared to
accept. Ignoring the order of them is fine (sender and receiver will
often have different sets of preferences, and especially different order,
so you need to support this in general anyway.)
But if you want to send somebody a message they can decrypt, you need to
send an algorithm they understand.
The usual Internet principle about being conservative about what you send
and liberal about what you accept certainly applies here.
I'd call it a MUST. DES3 is a special case, since supporting it is a
MUST, but putting it on your list of preferences probably shouldn't
be.
I can think of several senarios where this would be impractical.
User x generates keys using WimpyPGP(tm) that only supports the bare
minimum of algorithms. He now goes and updates to SuperPGP(tm) that has
every algorithm under the sun. Before anyone can send him any messages
encrypted with the one of the "new" algorithms he must update his keys and
re-distribute it.
Another example may be that user x has SuperPGP(tm) at home and
WimpyPGP(tm) at work. User x has only one key. What preferences should be
on his key?
There also may be cases where a user *does not* wish to advertise what
algorithms he is using "in the clear".
My biggest objection is a matter of principle. It's *my* message. If I do
not trust the "security" of 3DES and wish to send all my messages out
using CAST5 why should I be prevented in doing so?
- --
- ---------------------------------------------------------------
William H. Geiger III http://users.invweb.net/~whgiii
Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/esecure.html
- ---------------------------------------------------------------
Tag-O-Matic: OS/2: Not just another pretty program loader!
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000
iQCVAwUBNRPT5Y9Co1n+aLhhAQHBhAQAuygGjzGeEkK8bjg8VRgP6it0d9hz4gx4
YuSqlXs5GQrKo/K7A+8miWFLzHhbAhqtJlVQM7GIdjr2Nyt5Rq/wnOKd6chWecI6
h3YvGBzyhttHoW1u8tsxq0PgGYMKo+h6tsobTcAjlKDiQAgujthpLxAd07c+W81R
Fk16Rd52ZuA=
=00nI
-----END PGP SIGNATURE-----