Essay on PGP as it is used today

Robert J. Hansen rjh at
Wed Jul 17 06:05:01 CEST 2019

> More than a bit critical, but a good read all the same.  Found on HN. 

Although I largely share in the criticisms, I think the author made a
couple of serious mistakes.

First, RFC4880bis06 (the latest version) does a pretty good job of
bringing the crypto angle to a more modern level.  There's a massive
installed base of clients that aren't aware of bis06, and if you have to
interoperate with them you're kind of screwed: but there's also
absolutely nothing prohibiting you from saying "I'm going to only
implement a subset of bis06, the good modern subset, and if you need
older stuff then I'm just not going to comply."  Sequoia is more or less
taking this route -- more power to them.

Second, the author makes a couple of mistakes about the default ciphers.
 GnuPG has defaulted to AES for many years now: CAST5 is supported for
legacy reasons (and I'd like to see it dropped entirely: see above, etc.).

Third, a couple of times the author conflates what the OpenPGP spec
requires with what it permits, and with how GnuPG implements it.
Cleaner delineation would've made the criticisms better, I think.

But all in all?  It's a good criticism.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list