William H. Geiger III <whgiii(_at_)invweb(_dot_)net> writes:
I had not thought of leaking key data this way. If the group feels this is
a real concern couldn't the same type of "leaking" be done with the
"boundary" in the MIME headers?
Or with the session key or IV, or the padding of the key to the RSA modulus
size, or the 'k' parameter of a DSS signature, or probably any number of
subtler ways. Fields which by their nature must *not* be generated in an
externally predictable way.
I may be missing something here, but it seems to me that attempting to write
this specification to completely disallow subliminal/covert channels is a
fool's errand. It's already necessary that the PGP implementation be trusted.
Adding requirements such as this one (specifying that the MessageID be
externally verifiable) makes the spec more complicated and more difficult to
implement, but doesn't actually increase security at all.
Wim Lewis / wiml(_at_)omnigroup(_dot_)com