On Fri, 20 Jun 2008 12:48, rabbi(_at_)abditum(_dot_)com said:
Actually, my concern has to do with the fact that OIDs are of arbitrary
length. X.509 got it wrong; we might too.
How can you get this wrong? You compare the length byte and the the
data. That is trivial. Some folks might be tempted to use a BER parser
but is overkill and a bad practise.
We have far more complicated encoding schemes in OpenPGP packets than a
length byte and some opaque data bytes as I suggest to use for the OID.
I agree that's a problem, but isn't the solution "upgrade the client that
can't handle the larger keys?"
Sure, it is just a practical problem. The users need to ge a new
version of the software. For GNU/Linux that may take half a year and
the willingness to update to something new.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.