Carl,
You've been a fan of encrypting IVs in several messages.
Could you provide an explanation of why this would be an important
feature, in the context of PEM? The general "rules of thumb" under
which cryptoalgorithms have been evaluated for some time (and which
Diffie and Hellman described in publications about 15 years ago),
assume that a good algorithm shuld be resistant to attack even in the
face of known of chosen plaintext. Thus, the observation that data at
the beginning of an encrypted message may be highly predictable is
generally regarded as not an especially serious concern (relative to
recovery of the encryption key). The thrust of the arguments being
made seems to be that we should encrypt the IV to provide more
protection for the first block of plaintext being enciphered vs. layer
blocks (since the IV for a later block is just the preceeding
ciphertext block). If one can identify highly predictable data in the
second or third block, this argument for enciphering the IV becomes
obviously silly. I would suggest that the likelihood of such
predictable data in subsequent (8-byte) blocks is increasing all the
time, e.g., as a result of PEM-MIME formats, and thus any benefits of
associated with encrypting the IV are too minor to warrent the effort.
Steve