On Sat, 22 May 1999, Werner Koch wrote:
Why an extra checksum if we already have an MDC?
Because someone was suggesting that if anyone ever changed the algorithm
ID byte they could turn off the MDC. That could be prevented by a
Ah well, I think it is easier to put a copy of the version byte and
the algorithm identifier into the encrypted text:
E(random_prefix[blocksize+2],version_byte,algo_byte,plaintext,mdc_packet)
Blocksize+2? Are we doing PGP-cfbs still? Also, by mdc_packet, I take it
to mean you mean a real packet (i.e. there is a virtual EOF after the
plaintext)?
And I might want to specify other algorithm IDs, e.g. the Palm Pilot has
MD5 (and DES) in the OS kernel, but not SHA1. I would really prefer to
have my MDCs there as MD5, and use 3DES for a minimal Palm implementation.
Makes sense for me. And I think it is better to use OpenPGP
dataformats than to use somethin else or invent another one.
Is it okay to have SHOULD use SHA1-MDC and SHOULD give a warning if
another MDC is used?
I think SHOULD use SHA1-MDC is best, but I am not sure about the warning
part. I think it might be proper to give a warning on the creation (much
like giving a warning against using MAY or private algorithms other places
where most PGP implementations won't be able to handle it).
I forget if RMD160 or MD5 in the normal context are MAY or SHOULDs, but if
they are SHOULDs, I wouldn't want to give a warning. Implementations
SHOULD be able to use any hash for MDC that they use for signatures.