s2k-cipher-mode default

[Daniel Kahn Gillmor]

Hi GnuPG devs--

I've been thinking about s2k-cipher-mode defaults.  In 2.0 and 1.4
branches, this defaults to CAST5.  In 2.1, it defaults to AES (aes128).

I think it should change to AES256, with explanation below.

When s2k-cipher-mode is used to select the cipher for secret key
material, there is no interoperability concerns: this is relevant only
for the system that it's on.  Therefore, for ciphers that select the
secret key, it should be the strongest symmetric cipher known to the
running system.  This is probably AES256, not CAST5 or AES128.

Interoperability concerns may arise when this is applied to symmetric
encryption intended for a remote recipient.  In this case, it's possible
that the peer doesn't have access to AES256.  AES was standardized in
2001, 14 years ago.  The underlying algorithm, Rijndael, was known for
years before the standardization process. GnuPG added AES256 around
2002.  PGP 7.0.3, from ~2001 supports AES256 (i have not checked earlier
versions of PGP).

Peers that do not support AES256 are either extremely rare or hopelessly
out of date.  Reducing the strength of the ciphers in use for the sake
of preserving interop with these peers seems like a bad tradeoff.

What do folks think about making this change to the defaults?

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150602/521bd0bd/attachment.sig>