Adam Back says:
Starting from PRZs functionality list, I agree with the design.
However i think the functionality list has a gap: it doesn't cover
that many people will want to continue using IDEA, 3DES, blowfish.
There will remain no way to prevent message modification for unsigned
messages for these.
And there's absolutely no protection for those who continue
using unencrypted unsigned e-mail.
I say - the world is moving forward.
It is bad enough to have to be compatible with the existing
"old" methods - it will be far worse to have to in addition
be compatible with "new old" methods. Enough is enough.
is important too, and I therefore think it would be quite useful to
have a MDC in signed and encrypted messages (as well as just encrypted
messages) for the non-large ciphers too.
We agree here.
Now if one adds to PRZs functionality list that we want this to be
backwards compatible so that non-large ciphers can use it, you need a
way to send a MDC inside an encryption envelope such that it won't
cause current implementations to barf. For this the appended hash
method doesn't work (or at least I can see no elegant way to make it
A good enough reason for me to vote down the support for MDC in
For this reason I would argue for a new signature type `symmetric
MDC', where you put a hash (or a MAC) in a signature packet.
No MAC - as MAC will require yet another key.
I argue that these benefits make it worth favoring the new signature
type over appended hash approach.
Let's say that we disagree here.