On 8/14/02 2:27 PM, "john(_dot_)dlugosz(_at_)kodak(_dot_)com"
According to the link posted by someone else,
(www.counterpane.com/pgp-attack.html), "We also recommend changes in the
OpenPGP standard [3 ]to educe the
effectiveness of ou attacks in these settings."
Are the people activly working on the -bis draft aware of this?
Yes, we are aware of it. We released bis-06 on Monday with language in it to
address this. We were advised about this a month ago, and have had quite a
good email conversation with the authors about it.
The text that is in there is some talk in the sections on compression, which
say that a decompression error should be considered to be a security
problem, not a data problem (in other words, don't typically let the user
have the damaged plaintext), and some language that recommends encouraging
people to use MDCs. There is also a relatively long section in Security
Considerations. Take a look, I think you'll like it.