AW: Breaking changes

Ernst-Udo Wallenborn Ernst-Udo.Wallenborn at novosec.com
Tue May 22 16:19:57 CEST 2018


> -----Ursprüngliche Nachricht-----
> Von: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] Im Auftrag von Ralph Seichter
> Gesendet: Dienstag, 22. Mai 2018 12:59
>
> On 22.05.18 03:42, Mark Rousell wrote:
> 
> > Preventing users from encrypting new data using legacy encryption does
> > NOT need to mean that other users have to be prevented from (quite
> > legitimately) accessing archived data using legacy encryption with
> > maintained software.
> 
> Who said "have to be prevented"? Please keep in mind that GPG is
> maintained on a voluntary basis. If the people who do the actual work
> decide to not maintain outdated software anymore, so they can focus
> their limited resources on current releases, they are completely free
> to do so and don't deserve to be chastised for the decision.


I'd favour a pragmatic approach, drawing the line depending on the state of technology: we all know that encryption does not provide absolute security; it provides relative security for a limited time. Relative because it depends on the means the adversary has, and limited time because of technological progress.

Old files encrypted with a method that is trivially crackable today are actually not encrypted, they're just encoded in a fancy way. Users with such files should reevaluate their encryption strategy, and not depend on gnupg to be a permanent decoding tool. But on the other hand, email encryption can never clean up as radically as TLS1.3, because it has to provide protection for data-at-rest, too, which TLS doesn't have to address. So unless an algorithm is completely broken, it should stay supported, at least for decryption.

-- 
Ernst-Udo Wallenborn
Pgp   22FB 1CB2 82D8 A903 A289 053B 4015 1361 6040 82F7






More information about the Gnupg-users mailing list