Question about FAQ section 7.1

David Shaw dshaw at jabberwocky.com
Fri Sep 24 21:56:17 CEST 2004


On Fri, Sep 24, 2004 at 12:16:11PM -0700, mujyo at comcast.net wrote:
> Hello List :^)
> 
> In section 7.1 of the FAQ the last paragraph states:
> 
> "There is a small security glitch in the OpenPGP (and therefore GnuPG)
> system; to avoid this you should always sign and encrypt a message
> instead of only encrypting it."
> ( http://www.gnupg.org/(en)/documentation/faqs.html#q7.1 )
> 
> I am wondering if this is still the case, and if this means that one
> should also not use 'conventional' encryption, as the language appears
> to possibly be saying that as well. And has this 'glitch' been fixed?

This isn't true any longer.  OpenPGP now has the MDC protection.  Both
GnuPG and PGP support it.  MDC can be turned off manually, or if you
encrypt to a key that doesn't support it, it is switched off
automatically, but in general it is on.  GnuPG tries pretty hard to
use MDC whenever possible.  MDC works for conventional encryption
also.

> Also, does anyone see any basic problems in encrypting =<700MB files
> using --recipient (My-Name) --encrypt (File), i.e. encrypting to one's
> self for files only for yourself. Is it better to encrypt with say
> TWOFISH, or a Key-pair even though you are only encrypting to
> yourself.

No basic problem.  Some people like to use --symmetric when encrypting
to themselves, and some people like to use their public key.  It's
really a matter of taste.  I prefer to use my public key so I don't
have one more passphrase to remember ;)

David



More information about the Gnupg-users mailing list