David Shaw dshaw at
Wed Mar 16 00:42:48 CET 2011

On Mar 15, 2011, at 6:51 PM, vedaal at wrote:

> David Shaw dshaw at wrot on
> Tue Mar 15 22:28:23 CET 2011 :
>> I'm not quite sure what you mean.  
>> The MDC can be used on any OpenPGP cipher, no matter what the 
> size.
> Yes, 
> but it's done by gnupg by default for 256 bit ciphers, while it 
> needs the option of '--force-mdc' for non-256 bit ciphers.

That is not quite right.  Whether the MDC is used or not is a key preference similar to the cipher preferences, to ensure that all recipients can handle the message.  Using --force-mdc overrides that, and similar to overriding the cipher preferences, runs the risk of sending a message that a particular recipient can't read.

The 256-bit cipher thing is a bit of a neat trick - when putting together RFC-4880, it was observed that all implementations that had 256-bit ciphers also had the MDC, so using a 256-bit cipher could be used to infer the ability to do a MDC.  GnuPG does that as well, since using the MDC is a good thing.

> My suggestion is to have gnupg do the MDC by default for all 
> ciphers sizes.

GnuPG does the MDC by default whenever all the keys can handle it (or if the chosen cipher is 256 bits)

All keys generated in GnuPG since the MDC preference was added (in 1.0.7, if I recall) have this flag set by default.  Anyone who wants to set the flag on a key that does not have it can use the usual --edit-key / setpref method with the keyword "mdc".


More information about the Gnupg-users mailing list