Jon Callas <jon(_at_)callas(_dot_)org> writes:
* Change the entire public key version number to 5, and add in a check.
I think V5 should be started only if a few other adjustments are made,
too. The certificate-does-not-cover-key-expiration-time problem comes
to my mind here. ;-)
* Change the String-to-Key specifier. The solution here is adding in the
tag 254 to 3.7.2.1
and reserve 254 (and 255) in 9.2 for this kind of use.
and have 254 denote an improved S2K. The benefit here is
that it causes the least change to user software, and is as secure as
anything else. The downside is that if someone uses a cipher algorithm
there, then they can't use algorithm 254. However, not only is using a
cipher algorithm deprecated, but our present max cipher number is 10.
This is not quite correct, the numbers 100 to 110 are already
assigned, too, technically speaking. However, 254 was never an
official private/experimental symmetric algorithm identifier, so I
don't think we have to care about potential problems caused by using
254 at this particular place, especially since using symmetric
algorithm specifiers in this context is deprecated anyway.
--
Florian Weimer
Florian(_dot_)Weimer(_at_)RUS(_dot_)Uni-Stuttgart(_dot_)DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898