Feature suggestion: options to require MDC or trusted signature on decryption

Werner Koch wk at gnupg.org
Mon May 28 11:24:25 CEST 2018

On Thu, 24 May 2018 10:53, fgrieu at gmail.com said:

> [1] cause gpg to supress any deciphered output that is not
> integrity-protected by at least one of MDC or trusted signature; I do
> realize this requires buffering when using gpg as a pipe.

Buffering is not the task of gpg and simply not possible.  This needs to
be done by another layer.  I already remarked elsewhere that I plan to
do this to GPGME when using in certain ways (ie. in memory or on files).

> [2] cause gpg to exit with non-zero status whenever an input was
> deciphered (output or not) and was not integrity-protected as above.

This is already the case unless a user is using a very old key and never
updated the expiration date or the preferences.  I have some doubts that
such a key will be used with proper OPSEC.  Note also that tehre are
widley used OpenPGP implementaions which support only AES and major
interoperablity problems have not been reported.  This is another
indication that the use of the legacy algorithsm (IDEA, 3DES, CAST5) are
quite rare.  Anyway, in master we now fail hard for _all_ cipher
algorithm, regardless of any preferences.

We need to discuss whether to backport this to 2.2.  I meanwhile tend to
say yes.



#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180528/9ebef211/attachment.sig>

More information about the Gnupg-devel mailing list