Initial thoughts.

[Seth Goodman]

As an improvement to what I've just proposed, sender_sig2, which
protected the SA header, the headers mentioned in the SA header and the
message body might as well be a CRC32.  You already have confirmation
that the sender is who he said he was, by either public key verification
or callback and a strong hash.  It's we're not trying to encrypt
anything with sender_sig2, just make sure nothing has been tampered with
so that a replay attack is not possible.  CRC32 is very good at that and
computationally very cheap.  Signing with private keys, decrypting with
public keys and computing SHA-1 hashes are computationally expensive,
despite what some on the SPF list said.  We can lighten the load by
replacing the second private key signature with a CRC32 and save a lot
of CPU cycles.  In hardware, a CRC is almost free.

--

Seth Goodman