On Wed, Sep 21, 2005 at 01:28:27PM +0100, Ben Laurie wrote:
I don't understand this attack.
It's the well-known Klima-Rosa attack. It has been discussed earlier on
this list.
2. No explicit count of MPIs constituting the key material (both public and
private).
This information can only be inferred from the algorithm specifier, meaning
that any implementation that wants to perform key management must have some
rudimentary knowledge about all public key algorithms. This, in turn,
hampers forward-compatibility.
This appears to me to be incorrect - an implementation that didn't know
the algorithm could still deduce the number of MPIs by parsing the
packet until it is exhausted.
Except for private key packets.
This would mean introducing a requirement
that all public key parameters were MPIs, of course.
That, too.
3. Key fingerprint depends on data unrelated to the actual key (namely:
creation date).
This prevents solutions when signature keys are generated on the fly (e.g.
directly from a passphrase), as the key creation (or, in this case, key
registration) date is not available at the time of signing, thus making it
impossible to put am unambiguous reference to the public key into the
signature.
Not impossible, but I'll agree, crufty. One could use a fixed creation date.
That's a horrible cruft breaking all sorts of things (validity period, etc.).
I like Dave's suggestion about adding optional subpackets, similar to those
in signatures.
--
Daniel