-----BEGIN PGP SIGNED MESSAGE-----
On the subject of MDC packets, I'd like to note a peculiarity
in the GnuPG implementation, and ask whether others consider
it reasonable, in accordance with the specification.
Here (my perception of) the structure of a integrity-protected
packet sequence:
SEIP-data packet {
<version=1>
encrypt-CFBn[key](
<plaintext>
MDC packet { SHA-1 hash }
)
}
The discussion of the SEIP-data packet doesn't say so explicitly,
but the <plaintext> would be an "OpenPGP message" in the
packet sequence grammar. Is that required, or simply
a convention?
GnuPG encodes the <plaintext> using an old-style indeterminate
length packet. This requires a parser to carve off the
MDC packet *from the end* in order to properly bound the
interpretation of that packet. I can think of at least two
approaches to doing so, but neither is very satisfying:
Use the bounds provided by the outer packet to limit the
size of the <plaintext> region. In a recursive filter-style
parser, this is unnatural -- rather than consuming a generic
input stream, the parser must also be given the bounds of
that stream (and that bound must be carried through any
layers that might reach another parsing step). Moreover,
there is no requirement that the outer packet be bounded;
it could very reasonably use an old-style indeterminate or
new-style partial-body encoding itself.
Maintain a 22-byte lookahead buffer. If the outer packet
has indeterminate (*or partial-body*) length, and the
<plaintext> has indeterminate length, this seems to be the
only viable option. (If the <plaintext> could be something
other than a "OpenPGP message", then it is effectively
indeterminate. Partial-body encodings present no problem.)
So, my questions are:
Is the <plaintext> *required* to be an "OpenPGP message"?
Are indeterminate packets legal inside other indeterminate
packets? If not, are they legal inside strictly bounded
packets?
Thanks in advance for your thoughts.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBO4URw2NDnIII+QUHAQFqiQf6A5a7tVyhv5vou7FJQl/P/xCuzI0wX24C
H5fjlW1wYVJ1xapLd6D2RF8xzrQV+cSG3dY56wboy3QeOFTP9+YMTNfZBmr2sqhG
piZHfL94bt2CvO5L+NoJgBcLvEDXcGEED0PyMnCAa8AkmFSTZuUbYY4Fz71EDG6N
jGyix3Bbg2mbYRHQdqiG7Ljml15Zl0xAaEthu3zyzsf5FIM75Oa0SUDLrO5AYI1v
SlzG7W11jqWN+jUiafgiawRxdyY39XvSaAHfIy8kks42yzaDZlhOrNmshzdH1ejM
/7CItr+7GL06hGBjsQggIEb6X4J16QcYEEL74Fymdr4ocb0CapEWwQ==
=CpgF
-----END PGP SIGNATURE-----