Terje Braaten <Terje(_dot_)Braaten(_at_)concept(_dot_)fr> writes:
Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(K||Bob_PK)), msg)
with the additional restriction that the encryption mode
should be one
of the MDC modes (ie appended MAC with K outside encryption, or
appended hash of msg inside encryption).
What a wonderful solution. Hello everybody, we go ahead and change
the next version of the protocol to this. Ok?
No. It is definitely not ok. This breaks backwards compatibiltiy
with implementations of 2440.
No matter what you do it should be backwards compatible with existing
software. Current implementations should still be able to read it,
even if they don't understand it.
My two suggestions still remain:
1) Write up an RFC that defines how to use a notation packet to do
what you want, where that notation packet is included in the
signature. Within that notation you can store the original
recipients list.
2) Write up an RFC that defines how to use 2440 packets in ESE mode.
I'm fairly sure that most of the existing 2440 implementation can
read an ESE message (at least if they implemented their parser
recursively like I did in PGP 5).
Either of these solutions solve your problem _AND_ remain
2440-compatible.
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek(_at_)ihtfp(_dot_)com www.ihtfp.com