un-trusting MD5 in gpg
David Shaw
dshaw at jabberwocky.com
Thu May 7 01:16:37 CEST 2009
On May 6, 2009, at 6:17 PM, Daniel Kahn Gillmor wrote:
> On 05/06/2009 06:04 PM, David Shaw wrote:
>> The cipher is chosen by taking the union of Baker and
>> Charlie's cipher preferences and then using Alice's
>> personal-cipher-preferences to pick Alice's favorite choice from the
>> union.
>
> Is it really the union and not the intersection? It seems that
> choosing
> from the union could leave either Baker or Charlie with an
> unacceptable
> choice.
Oops, yes, intersection! Fingers not behaving today.
>> Up until today, we have relied on the must-implement algorithms to
>> get
>> us out of a conflict like this. This will be a new, and surprising,
>> behavior for GPG. It will need to be off by default.
>
> "off by default" just means the "must-implement algorithms" are not
> included in the blacklist by default, right? or do you envision some
> additional switch needed in order to say "yes, i really want to put
> the
> must-implement algorithm in the blacklist"?
Off by default just means that the blacklist is empty by default. If
a user wants to blacklist something, whether that something is
optional or must-implement, they need to explicitly put it in there.
David
More information about the Gnupg-devel
mailing list