Feature suggestion: options to require MDC or trusted signature on decryption

Uri Blumenthal uri at mit.edu
Thu May 24 22:34:49 CEST 2018

+1 to what Holger said. [2] by default, with the ability to override, preferably via config.

I do *not* want to enforce the presence of a signature (to preserve the possibility of anonymity) - but I do want a true AE.

Sent from my test iPhone

> On May 24, 2018, at 14:04, Holger Smolinski via [gnupg-devel] <gpg-devel at nopicturesplease.de> wrote:
>> Am 24.05.2018 um 10:53 schrieb Francois Grieu:
>> In the wake of efail ( https://efail.de/ ), I think it could be useful
>> to add options to gpg (the command-line tool) that
>> [1] cause gpg to supress any deciphered output that is not
>> integrity-protected by at least one of MDC or trusted signature; I do
>> realize this requires buffering when using gpg as a pipe.
>> [2] cause gpg to exit with non-zero status whenever an input was
>> deciphered (output or not) and was not integrity-protected as above.
>> Any thoughts (like: some of that exists, and I missed it) ?
> I'd vote for [2] without output generation as default behavior and also
> add an override option.
> That would allow external programs like enigmail to
> - either treat this as a failed decryption for security reasons [default]
> - or voluntarily accept the unsafe behavior and establish safety on
> their own.
> Regards,
>     Holger
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel

More information about the Gnupg-devel mailing list