Avoid recipient-compatibility SHA1

Phil Pennock gnupg-users at spodhuis.org
Mon Nov 2 14:15:32 CET 2020


On 2020-11-02 at 13:49 +0100, Werner Koch via Gnupg-users wrote:
> On Fri, 30 Oct 2020 00:10, Phil Pennock said:
> > recipient.  That's fine.  I'd rather create pressure for people to fix
> > their systems to use modern cryptography than cater to their brokenness
> > with sensitive messages.
> 
> People won't update their keys - that just does not work.  Ignoring the
> preferences is a better way here.

First: thank you for the code changes!

As to the people part: for a generic call to action, you're right.  But
that's not the social dynamic in play here.

For a specific set of people who know each other, trying to communicate
securely, if someone says "hey your key is too broken to use, please fix
it, here's a command to run (which you should check for yourself),
please do so and send us your new public key" ... then that works.

In the generic case, there's a hypothetical reward requiring work now.
In the specific case, it's a case of "you're getting cut out of this
ongoing conversation which presumably matters to you, do this now to get
back in".  If the conversation really does matter to that person, then
they will fix their key.  I have gotten people to fix various problems
on exactly this basis.

For everyone I am not talking to?  Not my business, not my problem.
I can only issue advice and shrug when people ignore it.

Now I just need a sane way to figure out which key caused this.  :)

Thanks,
-Phil



More information about the Gnupg-users mailing list