A postmortem on Efail

Mark Rousell markr at signal100.com
Sun May 20 20:05:26 CEST 2018


On 20/05/2018 12:11, Philipp Klaus Krause wrote:
> I don't think breaking backwards-compability is an all-or-nothing question.
>
> IMO, it is important to still be able to decrypt old data. On the other
> hand one wants sane, secure use with current data.
> The functionality needed to decrpyt old files should still be there.
> Possibly hidden behind some new option, if that helps security for
> typical users.
>
> If my mail client will no longer be able to display some old encrypted
> message, that's ok. But I should be still able to read that message by
> invoking GPG from the command-line with suitable options.
>
> Philipp
>

I must agree with this. Absolutely losing a decryption ability that many
people clearly do still require is not a sensible path, but putting
'legacy decryption' ability behind a brand new option that requires some
kind of active change by users who do need it is a reasonable and
sensible compromise imo.

In short, it is not necessary to entirely remove the ability to decrypt
legacy-encrypted data to have the effect of deprecating its use.


-- 
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162
 
 
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180520/d774f1ad/attachment.html>


More information about the Gnupg-users mailing list