I mentioned this earlier in a different context.
One problem is that each public key and passphrase key prepended to the
symmetrically encrypted packet will need to create a context if I want to
do things in one pass. What would be better is a one-pass-symencrypt
header similar to the one pass sigs which would have the algorithm and the
first 10 bytes so that you could pretest the passphrase keys as they
occured (and the speculative public keys).
Note this also creates a problem if there is ever a cipher with a block
length greater than 8. Without the 10 byte header there would be no easy
way to determine if a passphrase key actually worked. And I worry about
the probability of the byte pair matching but with the wrong key.
It would still help to have a checksum on the SKESK, and that too could be
detected (by the key length determined by the algorithm leaving two
bytes). Or a CRC since random bytes would tend to average to the same
mean value. Or even an XOR of every byte pair or something.
--- reply to tzeruch - at - ceddec - dot - com ---