Re: OpenPGP question

Sam Hartman <> Tue, 17 October 2006 19:18 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1GZuSm-0004jE-JF for; Tue, 17 Oct 2006 15:18:56 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1GZuJF-0006ox-2U for; Tue, 17 Oct 2006 15:09:09 -0400
Received: from (localhost []) by (8.13.5/8.13.5) with ESMTP id k9HIf6nX029573; Tue, 17 Oct 2006 11:41:06 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.13.5/8.13.5/Submit) id k9HIf61l029572; Tue, 17 Oct 2006 11:41:06 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( []) by (8.13.5/8.13.5) with ESMTP id k9HIf1Rb029560 for <>; Tue, 17 Oct 2006 11:41:01 -0700 (MST) (envelope-from
Received: by (Postfix, from userid 8042) id B9412E01E6; Tue, 17 Oct 2006 14:40:52 -0400 (EDT)
From: Sam Hartman <>
To: David Shaw <>
Subject: Re: OpenPGP question
References: <>
Date: Tue, 17 Oct 2006 14:40:52 -0400
In-Reply-To: <> (David Shaw's message of "Wed, 20 Sep 2006 21:09:39 -0400")
Message-ID: <>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8abaac9e10c826e8252866cbe6766464


I'm sorry it has taken me so long to get back to this.  I wanted to
make sure I thoroughly understood the MDC in 2440bis and also wanted
to talk with Russ and other security experts.

I've convinced myself that the MDC's use of sha-1 is probably OK.
However algorithm agility is an absolute requirement.  The document
needs to clearly articulate a strategy for upgrading the algorithm
used by the MDC and to explain how clients can detect support for this
algorithm if asymmetric keys are involved.  I was going to ask for the
ability to include multiple MDC packets to support phased upgrades,
but Russ convinced me that this is not necessary.

Also, I would like to ask you to submit the section of your document
describing the MDC to the CFRG for their review.  I suspect they are
not going to like it much, but we need to give them a chance to find
any huge show stoppers.

So, I'm asking for the following specific actions:

1) Document your algorithm upgrade strategy.

2) Ask for a CFRG review