Sorry for asking another thing about this. For sure, I didn't want to set off an avalanche, and I still don't want to. But from a user's perspective, this is simply very confusing and also unsettling.
I think that somewhere, there should be some documentation, FAQ or whatever, as a definitive source for the correct facts. Because we have this statement: > That is not a GnuPG specific but an agreed upon format by the participants > of the OpenPGP WG and implemented by all major implementations. Which does not match what others say (apart from Vincent's statement) ... e.g. I also asked for what to do on Stack Exchange: https://security.stackexchange.com/questions/275883/should-one-really-disable-aead-for-recent-gnupg-created-pgp-keys The answer started with: > While authenticated encryption (AEAD) is good - especially for something > like OpenPGP, which is an old and over-complicated standard that has a > concerning large attack surface for vulnerabilities or simple implementation > errors - I definitely can't recommend enabling a non-standardized > compatibility-breaking feature by default, and frankly feel that GnuPG made > a major error in doing so from somebody with an impressive reputation on the network, for whom I suppose he knows what he's talking about. So: Is this standardized, or is it not? As said: I don't want to provoke a flame war. I'm just interested in objective facts ... _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
