On 22/03/2015 14:56 pm, Phillip Hallam-Baker wrote:
People keep telling me that canonicalization is necessary for
security. In 25 years I have never once heard someone give a use case
where it did.
It was *very* important when people were cut& pasting pgp-signed emails
around (and the contracts I eluded to earlier) but this all disappeared
when more sophisticated techniques turned up which included MIME and
also PGP encryption itself.
The last time I had a canonicalisation nightmare was in about 1997,
sitting in a tent hand-crufting bits of a PGP book back together. With
a bunch of Americans giggling in the background to accentuate our pain.
That amusing memory aside, I think yes, canonicalisation has kind of
shifted down in priorities and would be a contender for occam's razor.
Of course, the real author of ASN.1 becomes clear when you know it is
his name backwards.
lol... "the one"
openpgp mailing list