OpenPGP library?

Werner Koch wk at gnupg.org
Wed Aug 29 15:43:01 CEST 2001


On 29 Aug 2001 11:46:33 -0000, Evil  said:

> Those are security policies.  Deciding to not have a library is a
> policy.  Those policies may be wrong for some users.  If you are

And deciding not to write it in ADA is another one, probably a bad
one.  I am takling about gpg(1) *tool*

> all your users.  You don't.  I could list a dozen reasons why, in some
> cases, DES might be a better choice than AES, for instance.  Can you
> think of some?

There are no technical reasons.  If there is a organization which has
a need for weak encryption, they should write their own or stripp
GnuPG down to that.

> ones such as AES and 3DES, low security ones such as DES, very low
> security ones such as 40 bit DES, and even plaintext (ie, no

I agree with the FreeS/WAN project that we don't want any weak
encryption - there are no technical reasons for it (except for some
very strange protocols).  We try to do the best we can.

> configure my Apache/SSL server to support only 40-bit DES or no
> encryption at all if I want to.  I'm glad to have the choice.  The

And so is the GCHQ

> that use.  That's what Phil Z was originally thinking of, too.  But
> public key crypto, such as GPG, can and should be used all over the
> place, for a very broad range of applications.  It's unfortunate that

Just choose the right tool.  The GNU project has other tools which
might better fit for a purpose: Kerberos,LSH, GNUTLS, LIBGCRYPT.

> resulted in software with needless constraints, and it has resulted in
> the protocol being used much less than it could be.

Come on, PGP is still the de-facto standard for email encryption. 

-- 
Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus





More information about the Gnupg-devel mailing list