Steve Kent writes:
At this point in the process, the goal is to get the current
PEM specs out with as little modification and accompanying testing as
possible.
This is certainly understandable.
Thus the PEM WG adopted the simplest approach to avoiding
the vulnerability you and Virgil cited, plus one cited by Charlie
Kaufman at DEC (in the public key context), namely removing MAC from
the algorithms list.
I agree it is the simplest approach.
Since MAC is not a good hash function anyway,
This appears to be somewhat misleading. Can you clarify what you mean
by this?
and since we really hated to have to warn users about using MAC only
for single-addressee messages,
However with the fix we propose, you need not have a
single-addressee message type. Remove the MAC single-addressee message
type and only allow the "multi-addressee" type we propose. (This type will
work for a single addressee as well as for multiple addressees.) Also this
multiple addressee type is the same format as what exists when using
MDx. Only the use of the redundancy function is different. (Thus the
only change to the spec would be the removal of the single addressee
type message and the addition of the double DES MAC MIC.)
this simplifies the situation and
removes an historical artifact.
I am not convinced that the DES MAC can not be used in providing a
comparable level of integrity protection. If there is interest in
maintaining the use of the DES MAC, then perhaps these changes could
be made to a future spec. However, if there is little interest then I
am in full agreement.
Stuart