Carl:
From the message traffic, I draw the following conclusions:
1. It is very unlikely in PEM (and even less like in MIME-PEM) that one block
(64 bits) will cover the complete known plaintext. In OSI, where ASN.1 would
be used to encode the message, the first block will all be tag and length
information. Such tag and length information can be computed once the rest of
the plaintext is recovered.
2. The first block might deserve extra protection if certain compression
techniques are used. However, the protocol must not require tag and length
information to be prepended to the compressed information for this to remain
true. The object-oriented approach being used in application layer protocols
today suggests that such tag and length information will very likely be
present.
3. In CBC, the first bock is used as the IV for the second block. If the
second block is also known plaintext, then secret IVs are not helpful.
4. In the future, key management techniques other than RSA might be adopted by
PEM. These techniques may not support secret IVs eith the same simplicity as
RSA. In fact, the symmetric key management technique that is already in the
RFCs would require modification to support secret IVs.
In my opinion, strong likelihood of known plaintext in the entire second block,
the need for key management technique independence, and the desire to leave the
RFC definition of symmetric key management alone provide a compelling argument
accept the present practice of plaintext IVs.
Russ