On Fri, 17 Jul 1998, Jon Callas wrote:
At 10:32 AM 7/17/98 +1000, ? the Platypus {aka David Formosa} wrote:
>From my reading the OpenPGP requires both encryption and digital
signatures. However for some applications authenication without
encryption is needed, would it be possable to alter the wording to allow
signature only implimenations?
Opinions? I think he's got a good point and am ashamed that I overlooked
this myself, but is there a way to fix this at this late date?
DH is a MUST implying that encryption is a MUST, though it doesn't
strictly say this. I could take it as "IF encryption is implemented, DH
is a MUST". Or just add (in the general section) implementations MUST do
signatures, they SHOULD do encryption.
OTOH, I can see where a compliant implementation MUST do both. If you
have something like a time stamper, it need not, but that is the
application (i.e. if you linked with my library statically, you would not
pull in the encryption and decryption routines).
It also goes deeper. There are implicit and explicit preferences. We
don't have anything that says "CAN'T" for a preferred encryption
algorithm, so how do you create a signature that says this? (it does say
that zero, the plain text algorithm isn't to be used). For this reason we
probably don't want to alter the current wording.
An implementation that does no encryption because it is the nature of the
application could be considered compliant. But I would still consider an
application that was sign/verify-only for something like email as being
non-compliant. People are free to use an "OpenPGP compatible/compliant"
format even if the implementation as a whole isn't.
So for now, I would want to leave things as they are. (and maybe start an
Open Pretty-Good-Authentication discussion).
--- reply to tzeruch - at - ceddec - dot - com ---