On 27 Mar 2006, at 7:44 AM, Daniel A. Nagy wrote:
I agree with David here. The standard's purpose is to ensure
interoperability. It should tell us the sematics behind sequences
of bytes.
It is up to the implementation to make decisions based on these
semantics.
Valid reasons to exclude certain combinations from the standard
include
ambiguity of interpretation, inherent insecurity or a wide
installed base of
incompatible implementations, but not the possibility of weird
uses, IMHO.
I agree as well with both Davids.
As an observation, in 2440 one of the things we allowed was deviation
from DSS because the rough consensus had a certain amount of
grumpiness with the US Government. In practice, hardly anyone did
anything different with DSA than DSS. We even removed hash functions.
Many things have changed in the last decade, but toeing the exact
NIST line or even being like them only moreso is going a bit too far.
In the next decade, we're going to see a lot of advancement in hash
functions. Someone is going to want to use those new hash functions
with DSA, and it would be nice to be able to move faster than NIST.
Let's suppose someone comes up with a new hash function that is 251
bits. (I picked 251 because it's prime and less than 256.) We don't
want a constitutional crisis over using it. We want to be flexible
enough that it's pretty obvious how to extend OpenPGP to use new hash
functions with DSA.
Jon