my point was, requiring implementors to do compression sucks,
in my opinion. this attack is insufficient justification.
the attack is a social engineering attack. forcing implementors
to add onerous code to defend against it is not a good idea.
At 12:51 PM 8/14/2002 -0400, Derek Atkins wrote:
Rodney Thayer <rodney(_at_)tillerman(_dot_)to> writes:
> I think it's got too many odd things in it to require compression.
Indeed.. As I said (perhaps incoherently), the attack only works if
you DO NOT compress. If you compress the message then there is no way
to XOR against the message.