At 10:38 AM 9/30/98 +0200, Werner Koch wrote:
Can we restrict the SHOULD to hashed subpackets? Otherwise it is
easy to invalidate a signature by setting the critical bit in a
unhashed subpacket.
Remember what SHOULD means:
3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
If you, as a developer, believe that there is greater danger in the
potential denial-of-service attack from critical unhashed subpackets than
there is value from them, you are free to ignore it.
Jon
-----
Jon Callas jon(_at_)pgp(_dot_)com
CTO, Total Network Security 3965 Freedom Circle
Network Associates, Inc. Santa Clara, CA 95054
(408) 346-5860
Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS)
665B 797F 37D1 C240 53AC 6D87 3A60 4628 (RSA)