Essay on PGP as it is used today
Robert J. Hansen
rjh at sixdemonbag.org
Wed Jul 17 06:05:01 CEST 2019
> More than a bit critical, but a good read all the same. Found on HN.
Although I largely share in the criticisms, I think the author made a
couple of serious mistakes.
First, RFC4880bis06 (the latest version) does a pretty good job of
bringing the crypto angle to a more modern level. There's a massive
installed base of clients that aren't aware of bis06, and if you have to
interoperate with them you're kind of screwed: but there's also
absolutely nothing prohibiting you from saying "I'm going to only
implement a subset of bis06, the good modern subset, and if you need
older stuff then I'm just not going to comply." Sequoia is more or less
taking this route -- more power to them.
Second, the author makes a couple of mistakes about the default ciphers.
GnuPG has defaulted to AES for many years now: CAST5 is supported for
legacy reasons (and I'd like to see it dropped entirely: see above, etc.).
Third, a couple of times the author conflates what the OpenPGP spec
requires with what it permits, and with how GnuPG implements it.
Cleaner delineation would've made the criticisms better, I think.
But all in all? It's a good criticism.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 228 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users