Should one really disable AEAD for recent GnuPG created PGP keys?

Bruce Walzer bwalzer at
Wed Mar 6 23:14:37 CET 2024

On Wed, Mar 06, 2024 at 09:43:00AM +0100, Werner Koch wrote:
> On Tue,  5 Mar 2024 11:15, Bruce Walzer said:
> > So just to be clear, I am not complaining that GnuPG implemented the
> > LibrePGP version of OCB. I am complaining that GnuPGP did #2 and #3
> > before implementation was close to universal and did not clearly spell


> OCB mode is only used if all recipient's key have the flag that they
> support this mode.

Yes, and I agree that the preference system here is helpful. But I
have a list of 22 instances where it did not work. Those are up to
this point entirely from GnuPGP emitting new block cipher modes and
are mostly between different versions of GnuPG. Things could easily
get worse going forward.

> This is not different from the preferences for a certain cipher
> algorithm.  For example AES in the old days.  The migration from
> CAST5 to AES worked without any noticeable problems because after we
> implemented AES, we announced that in the keys and the peers started
> to use AES iff all recipients claimed that they support this flags.

The difference here is that most users have a general idea of what
these algorithms are and what it means when support for decytption is
not available. Few people know about cipher block modes. The messages
that they get won't even refer to cipher block modes, instead it will
be some sort of obscure internal error. For example, GnuPG says this:

    gpg: [don't know]: partial length for invalid packet type 20

> Same thing for for compression algorithms.  At some point we were
> talked round to implement bzip2.

How many implementations specify bzip2 as the most desired
compression mode by default? Back in the day, most OpenPGP users were
on the same mailing lists. That is no longer true. This is a good
thing. The OpenPGP standard and GnuPGP in particular are widely and
routinely used.


> Now, when you move to another software with less capabilities, you
> need to announce that to your peers by sending an updated key with
> the new set of preferences.  Sure there is a problem with low end
> mobile device software which you use with the same key - in this
> case you need to drop the preferences which are not supported by
> your mobile device software.

Mailvelope for example, provides no way to modify preferences. Most
implementations do not. So, practically, this will be done with the
GnuPGP editor. That editor is not very accessible for most users. The
user would have to export then import to GnuPGP. Then somehow
determine the capabilities of all their implementations (and all the
versions of those implementations they are using). Then they would find
a common subset and edit it into the new key. Then they would export
the key back to all the implementations, keyservers and non-server
using correspondents. Certainly possible but it is a lot to ask.

These are the sorts of things that allow others to claim that the
OpenPGP ecosystem is complex and unusable.

Anyway, this is not about my greatest fear. That fear is that the
cryto refresh will someday be released as the official RFC-4880. If
any significant implementation follows this exclusively, then there
will be an actual "schism". If everyone emits new modes by default
then the two islands of compatibility will not be able to
interoperate. To the extent that the preferences were helpful, it
would be by using the existing block cipher mode to bridge the gap. I
would be OK with this but I doubt that most would. It would make the
introduction of the new modes seem pointless. What happens then?

Making this personal, I sometimes write PGP advocacy articles. How
should I attempt to sell this new change? Faster encryption and
different error handling, great. But that doesn't seem enough to
justify obscure, possibly time delayed, interoperability problems even
if they are rare.


More information about the Gnupg-users mailing list