AW: Breaking changes
Ernst-Udo.Wallenborn at novosec.com
Tue May 22 16:19:57 CEST 2018
> -----Ursprüngliche Nachricht-----
> Von: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] Im Auftrag von Ralph Seichter
> Gesendet: Dienstag, 22. Mai 2018 12:59
> On 22.05.18 03:42, Mark Rousell wrote:
> > Preventing users from encrypting new data using legacy encryption does
> > NOT need to mean that other users have to be prevented from (quite
> > legitimately) accessing archived data using legacy encryption with
> > maintained software.
> Who said "have to be prevented"? Please keep in mind that GPG is
> maintained on a voluntary basis. If the people who do the actual work
> decide to not maintain outdated software anymore, so they can focus
> their limited resources on current releases, they are completely free
> to do so and don't deserve to be chastised for the decision.
I'd favour a pragmatic approach, drawing the line depending on the state of technology: we all know that encryption does not provide absolute security; it provides relative security for a limited time. Relative because it depends on the means the adversary has, and limited time because of technological progress.
Old files encrypted with a method that is trivially crackable today are actually not encrypted, they're just encoded in a fancy way. Users with such files should reevaluate their encryption strategy, and not depend on gnupg to be a permanent decoding tool. But on the other hand, email encryption can never clean up as radically as TLS1.3, because it has to provide protection for data-at-rest, too, which TLS doesn't have to address. So unless an algorithm is completely broken, it should stay supported, at least for decryption.
Pgp 22FB 1CB2 82D8 A903 A289 053B 4015 1361 6040 82F7
More information about the Gnupg-users