Hal,
Thanks for the comments :)
We did include mechanisms for specifying the one-time pad to be used to
decrypt a given message:
--
4.2 One-time pad reference
...
- A four-octet date when the referenced one-time pad was created.
- A four-octet offset specifying the first octet in the referenced
pad that should be used as key.
--
ie the creation time was meant to be a pseudo-ID.
But I am quite happy to take out the OTP section if that's what people
want: if anyone later feels they need it, they would be welcome to
cannabalise our text as the starting point for a new RFC. What are other
people's thoughts?
One is what has recently been discussed on the ukcrypto list, which is
to provide a mechanism in the client to surrender selected session keys
rather than public keys, under court order. This provides a minimal
way of complying with the new UK laws.
I have added the following paragraph to the "Key Surrender" section:
"The least compromising key required MUST be the one surrendered. The
session key used to encrypt an individual message will often be sufficient.
Otherwise, a subkey should be surrendered before a long-term top-level key.
Signature keys should not be surrendered unless absolutely necessary."
Another idea, which would be much harder to specify clearly, was
something that PRZ proposed to me way back in 1992. Similar to the
one-use decryption keys, he proposed that communicating parties cache a
session key to be used over a series of messages, updating it for each
message transfer. You could get forward secrecy by doing something like
new_key = hash(old_key), with appropriate precautions. This would be a
lighter weight mechanism than the one-use decryption keys, but it would
be more of a change to the OpenPGP standard.
This is nice, but does need a reasonable amount of work to specify. If
people feel this would be valuable, we could discuss it further.
Ian :)