AW: Efail or OpenPGP is safer than S/MIME

Werner Koch wk at
Wed May 16 14:10:06 CEST 2018

On Tue, 15 May 2018 11:44, Roman.Fiedler at said:

> The status line format should be designed to support those variants to
> allow a "logical consistency check" of the communication with GnuPG

There is a 


and that is all what it takes.  If the integrity check fails there
should be no easy way to circumvent this. RFC-5083 states this cleary:

   The recipient MUST verify the integrity of the received content
   before releasing any information, especially the plaintext of the
   content.  If the integrity verification fails, the receiver MUST
   destroy all of the plaintext of the content.

Unfortunately this can't be done by tools prepared to process huge
amounts of data.  And in contrast to the Efail claims this is an
important feature.  How would you else do your ZFS backups without
having a way to stream the data to the backup system.

For failsafe reasons I consider to wipe the plaintext data in GPGME's
interface on decryption failure.  That can only be done when memory
based data or file based objects are used.  But I guess that many MUAs
use the memory data approach.  Such a failsafe protection would avoid an
attack even if the error code returned by GPGME is not checked.



#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list