Feature suggestion: options to require MDC or trusted signature on decryption
Uri Blumenthal
uri at mit.edu
Thu May 24 22:34:49 CEST 2018
+1 to what Holger said. [2] by default, with the ability to override, preferably via config.
I do *not* want to enforce the presence of a signature (to preserve the possibility of anonymity) - but I do want a true AE.
Sent from my test iPhone
> On May 24, 2018, at 14:04, Holger Smolinski via [gnupg-devel] <gpg-devel at nopicturesplease.de> wrote:
>
>> Am 24.05.2018 um 10:53 schrieb Francois Grieu:
>>
>> In the wake of efail ( https://efail.de/ ), I think it could be useful
>> to add options to gpg (the command-line tool) that
>>
>> [1] cause gpg to supress any deciphered output that is not
>> integrity-protected by at least one of MDC or trusted signature; I do
>> realize this requires buffering when using gpg as a pipe.
>>
>> [2] cause gpg to exit with non-zero status whenever an input was
>> deciphered (output or not) and was not integrity-protected as above.
>>
>> Any thoughts (like: some of that exists, and I missed it) ?
> I'd vote for [2] without output generation as default behavior and also
> add an override option.
>
> That would allow external programs like enigmail to
> - either treat this as a failed decryption for security reasons [default]
> - or voluntarily accept the unsafe behavior and establish safety on
> their own.
>
> Regards,
> Holger
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
More information about the Gnupg-devel
mailing list