Selection of digest algorithm

Robert J. Hansen rjh at sixdemonbag.org
Thu Jan 29 15:22:18 CET 2009


Sven Radde wrote:
> So it would appear that Evolution uses RFC 2015, skipping the obsolete MD5.

No.  Jeff Anderson, Evolution's main GnuPG author, told me directly they
supported RFC3156.  He went on at great length about how inline traffic
is stupid and it isn't RFC-approved for email use, and how RFC3156 was
the One True Way regardless of what people wanted.

So yeah, taking Jeff at his word, he implemented RFC3156.  He's just
artificially restricting which hash algorithms can be used, which has
the added side effect of completely breaking Evolution for DSA2 keys.
Evolution cannot sign messages with a DSA2 key -- or at least, I've
never found a way to do it short of going in and hacking up the source code.

I do not think very highly of Evolution's OpenPGP support.

> Is there a GnuPG setting to find out more about the exact calls that
> Evolution does?

I found out just by writing a tiny shellscript wrapper which echoed the
arguments given to GnuPG.

> As I said, other parts of gpg.conf are honored

These would be the parts they're not setting on the command line.

> Is there some kind of "recommended" email application when it comes to
> GnuPG support? Or, put differently, which ones are known for "good"
> integration?

At last year's USENIX, in a panel discussion, Dan Wallach of Rice
declared Enigmail the best thing going in terms of OpenPGP integration.
 That's high praise coming from a very well-respected guy in computer
security.

This was said as part of a sidebar he made about the difficulty in
getting 30+ Ph.Ds in computer science to all use PGP for a particular
mailing list.  Some were using Evolution, some were using ancient PGP,
some were using modern PGP, some were using plugins, others were C&Ping
into a Microsoft Word document then using some weird Word PGP plugin,
some were using Enigmail, etc.  He capped it off with an exasperated
sigh, then recommended Enigmail to people who needed OpenPGP
integration, as Enigmail gave the least troubles.

> I have used Enigmail in the past but I was under the impression that its
> integration was hampered by limitations of Thunderbird's plugin API.

It is.  But it's not /severely/ hampered.  E.g., address book
integration doesn't work because the address book internals are such a
maze of twisty little passages, all alike.





More information about the Gnupg-users mailing list