Dr Stephen Henson <shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk>
writes:
Sorry I missed the comment about discussion being as a reply. Anyway
here are my original comments...
I propose this option not because its the best but because its what the
two versions I've tested use: viz Netscape Messenger and Microsoft
Outlook.
Representatives from both companies are here. It seems to me best
to see what their opinions are.
If you permit a larger key length then it may break an existing
implementation that assumes that the the keylength is X/8. It would
break mine for example but I can fix that.
I can't comment on whether the above implementations assume X/8, can
anyone else? If no one knows then I can do some tests and post the
results back here.
IMHO, anyone who assumes X/8 when receiving has broken the cardinal
rule of being liberal in what you accept. Sending is a different
issue.
As for this being more complicated to code and test I'd say that depends
on the implementation. Currently, for example, SSLeay would need some
modification to support option 2 with its envelope routines whereas
option 1 is already supported.
That's not a reasonable standard. Clearly, any change is more
difficult to develop and test than no change. That's why we
take current practice into account. The issue with development
and test assumes you're starting from scratch. From THAT
perspective fixed is easier.
There is a standard that that sort of defines it. The standard I'm
referring to is PKCS#12 password based encryption. In this case the
keylength is specifically implied by the algorithm as X/8.
Since my original message I've thought of something else...
If option 2 is taken then what should the fixed keylength be? If we set
it as (for example) 128 bits then that restricts anyone who wishes to
use more. So you couldn't just say "fixed keylength" you'd have to say
for example: "the keylength is rounded up to the nearest multiple of 16
to X/8". One conclusion to this is, of course, you might as well have a
variable key length to begin with.
This is a non-problem. The permissible RC2 keylengths in S/MIME are
40,64, and 128. Consequently, fixed 128 will work just fine.
-Ekr
--
[Eric Rescorla Terisa Systems, Inc.]
"Put it in the top slot."