3DES special case [Was: Re: --blacklist-digest-algo plans]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu May 7 23:52:22 CEST 2009
On 05/07/2009 01:25 PM, David Shaw wrote:
> We effectively have this now. If you take the cipher out of both your
> on-key preferences and your personal-cipher-preferences, then other
> people will not use it when encrypting to you, and you will not use it
> when encrypting to other people. GPG will even print a warning if
> someone uses it to encrypt to you ("WARNING: cipher algorithm
> such-and-such not found in recipient preferences").
>
> The only difference I see between this and a possible
> blacklist-cipher-algo is that presumably you could blacklist 3DES, which
> you can't remove from preferences.
Why not emit a warning if 3DES is not in the preferences either? the
RFC says MUST-Implement, not MUST-NOT-Warn.
Currently, gpg implements CAST5, but if you --encrypt --cipher-algo
CAST5 to someone whose preferences don't list CAST5, you get a warning.
And if you --decrypt something over CAST5, and it is not explicitly in
your preferences, you get a warning.
Why not treat 3DES the same way? sure, we know that RFC-compliant
OpenPGP implementations will be able to handle it. But if someone has
explicitly stricken it from their preference list, that probably means
they'd rather not receive 3DES-encrypted messages. A warning seems
reasonable to me.
FWIW, i just added "disable-cipher-algo 3DES" to my ~/.gnupg/gpg.conf
today to see what happens. i'm aware that this drastic step makes gpg
non-RFC-compliant, but it's the closest i can currently come to getting
it to represent my actual cipher preferences.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090507/8e366c1b/attachment.pgp>
More information about the Gnupg-devel
mailing list