Re: Agree with PRZs MDC suggestion

[Tom Zerucha <tzeruch@ceddec.com>]

On Sat, 22 May 1999, Werner Koch wrote:

> > > Why an extra checksum if we already have an MDC?
> > 
> > Because someone was suggesting that if anyone ever changed the algorithm
> > ID byte they could turn off the MDC.  That could be prevented by a
> 
> Ah well, I think it is easier to put a copy of the version byte and
> the algorithm identifier into the encrypted text:
> 
> E(random_prefix[blocksize+2],version_byte,algo_byte,plaintext,mdc_packet)

Blocksize+2?  Are we doing PGP-cfbs still?  Also, by mdc_packet, I take it
to mean you mean a real packet (i.e. there is a virtual EOF after the
plaintext)?

> > And I might want to specify other algorithm IDs, e.g. the Palm Pilot has
> > MD5 (and DES) in the OS kernel, but not SHA1.  I would really prefer to
> > have my MDCs there as MD5, and use 3DES for a minimal Palm implementation.
> 
> Makes sense for me.  And I think it is better to use OpenPGP
> dataformats than to use somethin else or invent another one.
> 
> Is it okay to have SHOULD use SHA1-MDC and SHOULD give a warning if
> another MDC is used? 

I think SHOULD use SHA1-MDC is best, but I am not sure about the warning
part.  I think it might be proper to give a warning on the creation (much
like giving a warning against using MAY or private algorithms other places
where most PGP implementations won't be able to handle it).

I forget if RMD160 or MD5 in the normal context are MAY or SHOULDs, but if
they are SHOULDs, I wouldn't want to give a warning.  Implementations
SHOULD be able to use any hash for MDC that they use for signatures.