un-trusting MD5 in gpg

David Shaw dshaw at jabberwocky.com
Thu May 7 01:16:37 CEST 2009

On May 6, 2009, at 6:17 PM, Daniel Kahn Gillmor wrote:

> On 05/06/2009 06:04 PM, David Shaw wrote:
>> The cipher is chosen by taking the union of Baker and
>> Charlie's cipher preferences and then using Alice's
>> personal-cipher-preferences to pick Alice's favorite choice from the
>> union.
> Is it really the union and not the intersection?  It seems that  
> choosing
> from the union could leave either Baker or Charlie with an  
> unacceptable
> choice.

Oops, yes, intersection!  Fingers not behaving today.

>> Up until today, we have relied on the must-implement algorithms to  
>> get
>> us out of a conflict like this.  This will be a new, and surprising,
>> behavior for GPG.  It will need to be off by default.
> "off by default" just means the "must-implement algorithms" are not
> included in the blacklist by default, right?  or do you envision some
> additional switch needed in order to say "yes, i really want to put  
> the
> must-implement algorithm in the blacklist"?

Off by default just means that the blacklist is empty by default.  If  
a user wants to blacklist something, whether that something is  
optional or must-implement, they need to explicitly put it in there.


More information about the Gnupg-devel mailing list