Efail or OpenPGP is safer than S/MIME

Werner Koch wk at gnupg.org
Mon May 14 19:32:18 CEST 2018

On Mon, 14 May 2018 15:44, andrewg at andrewg.com said:

> This all exposes one of the difficulties with trying to manage security
> software in a decentralised ecosystem. We end up in arguments over whose

That is actually easy compared to a system which is also designed to
protect data at rest.  Some users may want to restore their 2 year old
backup to fix a problem with garbled tapes; some may want to read the
real documents about WMD from 2003; some may even want to be able to
decrypt their old love letters at the time of their silver wedding.

> 1. change the default behaviour of GPG so that any integrity failure is
> fatal by default, even for old ciphersuites (we could have a flag to

I am all in favor of this and even considered to that some time ago.
However, not too long ago we removed support for PGP-2 keys which
unfortunately resulted in lots of angry mails from people who now think
they need to use gnupg 1.4 every day because they seem to read mails
From the last century on a regular base.  Well, they think and they were
quite vocal.  Now telling them they need to enable an option to read
certain not that old mail (e.g. creating by other OpenPGP
implementations) will a) lead to even more angry mails and b) they will
keep on using that option for all mails.  Thus my tentative plan was to
make the next major version hard fail on messages without MDC and slowly
start using our forthcoming AEAD encryption mode.

Well okay, with the new support of the Ehtmlfail paper we could now
point to that paper and always hard error out if no MDC is used even for
old algorithms.  Shall we consider this?

> the obsolete ciphersuites by default (again, we can provide an

They are not used by default.  3DES is a MUST algorithm and will only be
deprecated with RFC_4990bis and thus GnuPG 2.3. 

> 2. AND the MUAs need to make sure they fail hard on integrity warnings,
> because old versions of GPG may hang around for a while. Also ensure

Fortunately the majority of them do.

> that links aren't followed by default, that the capabilities of
> encrypted HTML mail are constrained, etc.

Yes please, I consider this the minimum requirement for HTML based
mails.  Why sending email when you need to go online for reading them.
And also disallow Javascript.  How you only need to convince the mail
content designers that they can't simply use the web page and send it as
mail.  That will be the hard part.

> The PGP ecosystem will survive this, because the tech is in place. The

I am not so sure for S/MIME - but that is whishful thinking ;-)



#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180514/913fca6d/attachment.sig>

More information about the Gnupg-users mailing list