> More than a bit critical, but a good read all the same. Found on HN.
Although I largely share in the criticisms, I think the author made a couple of serious mistakes. First, RFC4880bis06 (the latest version) does a pretty good job of bringing the crypto angle to a more modern level. There's a massive installed base of clients that aren't aware of bis06, and if you have to interoperate with them you're kind of screwed: but there's also absolutely nothing prohibiting you from saying "I'm going to only implement a subset of bis06, the good modern subset, and if you need older stuff then I'm just not going to comply." Sequoia is more or less taking this route -- more power to them. Second, the author makes a couple of mistakes about the default ciphers. GnuPG has defaulted to AES for many years now: CAST5 is supported for legacy reasons (and I'd like to see it dropped entirely: see above, etc.). Third, a couple of times the author conflates what the OpenPGP spec requires with what it permits, and with how GnuPG implements it. Cleaner delineation would've made the criticisms better, I think. But all in all? It's a good criticism.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
