On Mon, Mar 08, 2004 at 09:16:10PM -0500, Derek Atkins wrote:
* IDEA in the v3-v4 algorithm conflict: Major issue the question of what
support needs to be given to PGP 2 implementations. No proposed text was
presented so issue was punted back to the author.
This one was mine. The problem I had was the draft suggests using
IDEA when encrypting to a mix of V3 and V4 keys.
Section 12.1 of the draft says:
An implementation that is striving for backward compatibility MAY
consider a V3 key with a V3 self-signature to be an implicit
preference for IDEA, and no ability to do TripleDES. This is
technically non-compliant, but an implementation MAY violate the
above rule in this case only and use IDEA to encrypt the message,
provided that the message creator is warned. Ideally, though, the
implementation would follow the rule by actually generating two
messages, because it is possible that the OpenPGP user's
implementation does not have IDEA, and thus could not read the
message. Consequently, an implementation MAY, but SHOULD NOT use
IDEA in an algorithm conflict with a V3 key.
It's a reasonable suggestion on the face of it, but it is insufficient
in practice.
Without going into all the messy details, a V3 program is going to
reject any message that doesn't use only RFC-1991 packets and packet
constructions, the IDEA cipher, a session key from a RSA key that is
less than 2112 bits, etc.
Proposed text to fix this is to add to the end of the paragraph:
Note that when assembling a backwards compatible message, there may
be other issues that be resolved in addition to using the IDEA
cipher.
I'd also be fine with dropping the paragraph altogether if there is
not much interest in supporting PGP 2.
David