Feature suggestion: options to require MDC or trusted signature on decryption
uri at mit.edu
Thu May 24 22:34:49 CEST 2018
+1 to what Holger said.  by default, with the ability to override, preferably via config.
I do *not* want to enforce the presence of a signature (to preserve the possibility of anonymity) - but I do want a true AE.
Sent from my test iPhone
> On May 24, 2018, at 14:04, Holger Smolinski via [gnupg-devel] <gpg-devel at nopicturesplease.de> wrote:
>> Am 24.05.2018 um 10:53 schrieb Francois Grieu:
>> In the wake of efail ( https://efail.de/ ), I think it could be useful
>> to add options to gpg (the command-line tool) that
>>  cause gpg to supress any deciphered output that is not
>> integrity-protected by at least one of MDC or trusted signature; I do
>> realize this requires buffering when using gpg as a pipe.
>>  cause gpg to exit with non-zero status whenever an input was
>> deciphered (output or not) and was not integrity-protected as above.
>> Any thoughts (like: some of that exists, and I missed it) ?
> I'd vote for  without output generation as default behavior and also
> add an override option.
> That would allow external programs like enigmail to
> - either treat this as a failed decryption for security reasons [default]
> - or voluntarily accept the unsafe behavior and establish safety on
> their own.
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
More information about the Gnupg-devel