-----BEGIN PGP SIGNED MESSAGE-----
I like most of Werner Koch's edits.
One section that concerned me was:
| The 20 byte SHA-1 digest that follows the algorithm-specific
| portion is computed by hashing the plaintext of all the
| algorithm-specific octets (including MPI prefix and data). It is
| always encrypted like the algorithm-specific data. The deprecated
I strongly recommend hashing the entire contents, including the public
key material. If you wanted to leave out the material between the
public-key and secret-key parameters (that is, the pre-S2K byte,
the S2K, and the IV), I could accept that, but I think it would
be more convenient and consistent to include them.
Here's my stab at a description, based on Werner's draft:
| The 20 byte SHA-1 digest that follows the algorithm-specific portion
| is computed by hashing:
| the public key contents (exactly as for fingerprints,
| see "KeyIDs and Fingerprints");
| followed by the secret key packet contents,
| including the plaintext of the algorithm-specific data
| (including any MPI prefixes and data).
| The digest is appended to the secret-key parameters, and is
| encrypted along with them, without any CFB resynchronization.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----