[Top] [All Lists]

Re: algorithm IDs (was: Re: OpenPGP keys and Suite-B)

2008-06-19 17:58:46

Hash: SHA1

I really don't like OIDs, given the potential for format-based attacks
that they introduce, but we're already using them anyway. I would  
like to
see them phased out by v5 though.

On the one hand, an OID is just a bit string. It's no worse than  
UTF-8. Consider the way we do it to be ISO Latin1, and OIDs to be  
Unicode. On the other hand, you're right.

I don't see that an OID actually solves the problem. The problem is  
that the bureaucracy of IANA needs to assign the bit string. It  
doesn't matter if the bit string is an OID or one of our constants.

It's a process issue, not a format issue.

However, I see a very large problem here with the "it takes a year  
to get
an algorithm ID" situation. What's holding that up? And while we're  
at it,
can we get an algorithm ID assigned for WHIRLPOOL?

Make one up. Ditto for Camellia. Pick the obvious right number, and we  
all agree we'll start using it. Then we tell IANA to assign that number.

I leave the solution to the obvious error condition (what if IANA  
picks a different one) as an exercise for the reader. If you want,  
I'll tell you my workaround.


Version: PGP Universal 2.6.3
Charset: US-ASCII


<Prev in Thread] Current Thread [Next in Thread>