> Von: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] Im Auftrag von > > On 22/05/18 10:44, Fiedler Roman wrote: > > Such a tool might then e.g. be used on a MitM message reencryption > > gateway: the old machines still send messages with old > > (deprecated/legacy options), they are transformed by "gpg-archive": > > The full data (old message, old decrypt report, reencrypted > > plaintext) go to the auditing storages, the reencrypted plaintext to > > the standard (before MitM) receiver (who does not need to support > > legacy/deprecated from now on anymore). > > I don't think we should be encouraging the automated or transparent use > of legacy crypto upgrades, particularly in an online setting such as a > mail gateway. All this does is launder the obviously-dangerous bad > ciphertext into an apparently-safe new ciphertext.
Agreed, but I did not mean "e-mail" when writing "message". "Message" would more some encoded data block from a remote device, that has to be pushed to a central system from time to time, e.g. for auditing. Thus the gateway exactly knows the sender's key (usually it is only one for all systems with the same security level/in the same security zone) and re-encrypts it with a single key also known to the recipient. Usually the recipient has all the trusted keys hardcoded. For "e-mail" type messages, as you noted, a transparent re-encryption would be more risk than benefit in many cases. Still, it might be useful for semi-automated migration scenarios, e.g. * User clicks on a very old e-mail message * Gnupg fails decrypting it, referring to the migration tool and asking for confirmation * The migration tool migrates/replaces that single message if the user wants that. For e-mail, creating a mime-tree might come in handy, e.g. - plaintext message (reencrypted) - decryption/migration protocol (encrypted) - old message (full old mime structure, also encrypted but without decrypting it first - thus providing data at rest protection while still preserving all the old structures for traceability) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users