3DES special case [Was: Re: --blacklist-digest-algo plans]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu May 7 23:52:22 CEST 2009


On 05/07/2009 01:25 PM, David Shaw wrote:
> We effectively have this now.  If you take the cipher out of both your
> on-key preferences and your personal-cipher-preferences, then other
> people will not use it when encrypting to you, and you will not use it
> when encrypting to other people.  GPG will even print a warning if
> someone uses it to encrypt to you ("WARNING: cipher algorithm
> such-and-such not found in recipient preferences").
> 
> The only difference I see between this and a possible
> blacklist-cipher-algo is that presumably you could blacklist 3DES, which
> you can't remove from preferences.

Why not emit a warning if 3DES is not in the preferences either?  the
RFC says MUST-Implement, not MUST-NOT-Warn.

Currently, gpg implements CAST5, but if you --encrypt --cipher-algo
CAST5 to someone whose preferences don't list CAST5, you get a warning.
 And if you --decrypt something over CAST5, and it is not explicitly in
your preferences, you get a warning.

Why not treat 3DES the same way?  sure, we know that RFC-compliant
OpenPGP implementations will be able to handle it.  But if someone has
explicitly stricken it from their preference list, that probably means
they'd rather not receive 3DES-encrypted messages.  A warning seems
reasonable to me.

FWIW, i just added "disable-cipher-algo 3DES" to my ~/.gnupg/gpg.conf
today to see what happens.  i'm aware that this drastic step makes gpg
non-RFC-compliant, but it's the closest i can currently come to getting
it to represent my actual cipher preferences.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090507/8e366c1b/attachment.pgp>


More information about the Gnupg-devel mailing list