Efail or OpenPGP is safer than S/MIME

[Patrick Brunschwig]

On 14.05.18 19:32, Werner Koch wrote:
[...]
>> 1. change the default behaviour of GPG so that any integrity failure is
>> fatal by default, even for old ciphersuites (we could have a flag to
> 
> I am all in favor of this and even considered to that some time ago.
> However, not too long ago we removed support for PGP-2 keys which
> unfortunately resulted in lots of angry mails from people who now think
> they need to use gnupg 1.4 every day because they seem to read mails
> From the last century on a regular base.  Well, they think and they were
> quite vocal.  Now telling them they need to enable an option to read
> certain not that old mail (e.g. creating by other OpenPGP
> implementations) will a) lead to even more angry mails and b) they will
> keep on using that option for all mails.  Thus my tentative plan was to
> make the next major version hard fail on messages without MDC and slowly
> start using our forthcoming AEAD encryption mode.
> 
> Well okay, with the new support of the Ehtmlfail paper we could now
> point to that paper and always hard error out if no MDC is used even for
> old algorithms.  Shall we consider this?

Yes, I think that's a good idea.

-Patrick