-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I really don't like OIDs, given the potential for format-based attacks
that they introduce, but we're already using them anyway. I would
like to
see them phased out by v5 though.
On the one hand, an OID is just a bit string. It's no worse than
UTF-8. Consider the way we do it to be ISO Latin1, and OIDs to be
Unicode. On the other hand, you're right.
I don't see that an OID actually solves the problem. The problem is
that the bureaucracy of IANA needs to assign the bit string. It
doesn't matter if the bit string is an OID or one of our constants.
It's a process issue, not a format issue.
However, I see a very large problem here with the "it takes a year
to get
an algorithm ID" situation. What's holding that up? And while we're
at it,
can we get an algorithm ID assigned for WHIRLPOOL?
Make one up. Ditto for Camellia. Pick the obvious right number, and we
all agree we'll start using it. Then we tell IANA to assign that number.
I leave the solution to the obvious error condition (what if IANA
picks a different one) as an exercise for the reader. If you want,
I'll tell you my workaround.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII
wj8DBQFIWvvRsTedWZOD3gYRAmV2AKC2FVKlsFBfOWlG4E6AR4cZs5olowCffC5P
8/7VKMl8WLhTGEKMPh3xmHo=
=6+2J
-----END PGP SIGNATURE-----