A postmortem on Efail

Philipp Klaus Krause pkk at spth.de
Sun May 20 13:11:29 CEST 2018

Am 20.05.2018 um 08:26 schrieb Robert J. Hansen:
> Writing just for myself -- not for GnuPG and not for Enigmail and
> definitely not for my employer -- I put together a postmortem on Efail.
> You may find it worth reading.  You may also not.  Your mileage will
> probably vary.  :)
> https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08

I don't think breaking backwards-compability is an all-or-nothing question.

IMO, it is important to still be able to decrypt old data. On the other
hand one wants sane, secure use with current data.
The functionality needed to decrpyt old files should still be there.
Possibly hidden behind some new option, if that helps security for
typical users.

If my mail client will no longer be able to display some old encrypted
message, that's ok. But I should be still able to read that message by
invoking GPG from the command-line with suitable options.


More information about the Gnupg-users mailing list