2.2.43 and vsd-allow-ocb
Werner Koch
wk at gnupg.org
Mon May 6 14:25:12 CEST 2024
Hi!
On Sat, 4 May 2024 18:45, Andreas Metzler said:
> rG0a355b2fe7d8 gpg: Add compatibility flag "vsd-allow-ocb"
> rGa545e14e8a74 gpg: Support OCB encryption.
> Which understand to mean that 2.2.43 would by default both generate keys
> with 'AEAD: OCB' and use OCB when encrypting to keys with that flag set.
> And this behavior could have been disabled with '--compatibility-flags
No misunderstood this. OCB encryption is indeed supported regardless of
the compatibiliy flag.
What the compatibility flag does is to allow OCB also in
--compliance=de-vs mode. This was required because at the time of the
release we had not yet an approval to use this for VS-NfD/Restricted
communication. Thus in the GnuPG VS-Desktop configuraion this option is
only set after we received the approval.
For key generation the flag is indded not set by default:
/* For now we require a compat flag to set OCB into the preferences. */
if (!(opt.compat_flags & COMPAT_VSD_ALLOW_OCB))
ocb = 0;
Becuase we don't want to create key so that sites required to use de-vs
compliance mode won't end up with keys which claim to support a
non-approved encryption scheme.
Thanks for this reminder, that compatibility flag can now be removed.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240506/b62c605c/attachment.sig>
More information about the Gnupg-users
mailing list