One change we made in the -01 version of the drafts was to remove RC2 from
the main part of the draft, and to replace it with an "algorithm" called
"FOO/40". The purpose of this is give the list a round of not discussing
RC2, but fully discussing the use of a 40-bit weak algorithm.
Please read all of Section 2.6 and its subsections carefully. It is the
belief of the author team that there is nothing in this section that
requires sending using weak encryption, and gives you a precise guideline
for determining which encryption method to use in order to not send with
weak encryption.
I believe that naming and allowing a 40-bit algorithm in the spec will
cause many more developers to implement the spec; this is a Good Thing. As
much as we may hate it, the US Government's refusal to let US developers
ship mail software with stronger security has pretty much prevented all
developers, inside the US and outside, from implementing
strong-encryption-only specs like PGP/MIME. I think it behooves us to come
out with a spec that can be widely implemented but does not force weak
encryption.
--Paul E. Hoffman, Director
--Internet Mail Consortium