Should one really disable AEAD for recent GnuPG created PGP keys?

Werner Koch wk at
Mon Mar 4 16:16:08 CET 2024

On Mon,  4 Mar 2024 12:03, Tobias Leupold said:

> So: Is it wise and/or necessary to disable that for new GnuPG generated keys, 
> for the sake of interoperability? Or will the others catch up and implement 

No, it is not because you are delaying the deployment of new and a much
faster algorithm mode.

Although OpenPGP provides a nice preference system to convey the
capabilities of your software it has the obvious problem that you need
to change the preferences when moving to another software.  In fact gpg
has always asked you to update the preferences if it detected a
different set.  Using the same key with different software is and will
always be problematic.  I would also consider the security drawbacks of
doing so.  The attack surface of an Android phone is far higher than of
your well maintained Unix or Windows desktop.  Thus it may be useful to
reflect this by using different keys or at least subkeys.

All the major implementers (Ribose RNP, GnuPG, BouncyCastle, OpenPGP.js)
took great care to first deploy the software with support for the new
mode before actually creating keys with a preference for that mode [1].
Unfortunately a small group of people seem to sabotage this strategy by
rejecting the new mode despite that it has been implemented by their
crypto library.  Well, or your version on Android is too old - which
would indicate a severe security problem anyway.

> it? Or is there a good reason not to do so? Should one keep using legacy RSA 
> keys? Is it too early to switch to more modern ones?

RSA has nothing to do with this.  You can safely switch to curve25519
(ed25519/cv25519) for new keys - they are supported even longer than OCB
mode (aka AEAD).



[1] OCB (AEAD) decryption implemented by GnuPG with versions:
    2.3.0-beta  (January 2018) - interop tested with RNP and OpenPGP.js
    2.3.0       (April 2021)
    2.2.21      (July 2021)
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list