Hi! On Tue, 5 Mar 2024 12:39, Tobias Leupold said: > Sorry for asking another thing about this. For sure, I didn't want to set off > an avalanche, and I still don't want to. But from a user's perspective, this > is simply very confusing and also unsettling.
You are right. What I can do is to give my perspective of this which is based on my experience re-implementing a free PGP version since 1997 and while doing that taking part in the OpenPGP specification process which started at the same time. > https://security.stackexchange.com/questions/275883/should-one-really-disable-aead-for-recent-gnupg-created-pgp-keys > > The answer started with: > >> While authenticated encryption (AEAD) is good - especially for something >> like OpenPGP, which is an old and over-complicated standard that has a >> concerning large attack surface for vulnerabilities or simple implementation This introduction is pretty unfair but unfortunately as common on the net as the "PGP is way too complicate for anyone to use" claim. In reality PGP (in the form of GnuPG and Thunderbird) is used daily by million of people who consciously choose to protect their mails and data. If you want to see an over-complicated standard, have a look at S/MIME (aka CMS, X.509) which is implemented by all major mailers but has not the good repudiation of *PGP. See also [1]. The above answer by CBHacking continues: I definitely can't recommend enabling a non-standardized compatibility-breaking feature by default, and frankly feel that GnuPG made a major error in doing so. That is factual wrong. RNP, the core of Thunderbird's OpenPGP implementation, implemented this too. But instead of fixing all the stuff which got lost during the migration from Enigmail to TB's new OpenPGP code the TB maintainer now wants to remove support for OCB from TB. IETF specifications are not a standard but a specification how certain things are commonly implemented. The meanwhile most used public key algorithm (Curve25519) is not specified in OpenPGP but nevertheless less widely used and accepted. From a security perspective, I'm not even sure that just adding an OCB-based AEAD mode actually helps anything, in expectation; OpenPGP messages can already be authenticated in a few different ways, so arguably the likeliest source of security flaws is that the message S/he is right that formats get more complex and that we already have Authenticated Encryption (the core feature of AEAD) in OpenPGP but exactly that old format is complex and hard to implement. OTOH, the new OCB based Authenticated Encryption is a straightforward implementation of a well reseached mode and the gold standard for all block cipher modes. The old format in OpenPG was an ad-hoc implementation of Authenticated Encryption on top of the legacy PGP-2 format. Thus in the long run the new OCB mode will reduce the complexity. The answer shows in bold: Given that you work with non-GnuPG clients, and that this feature is not part of the OpenPGP specification, and that OpenPGP already includes message authentication and integrity, I recommend disabling this feature for now. With the same argument you could also stop using TLS 1.3 and instead keep on using TLS 1.2 in eternity. In most cases 1.3 has no real world advantages when done right. However, most sites allow for both 1.3 and 1.2 and only a few disallow 1.2 which leads to the same problems as we see with the removal of support by some application and some Linux distros. Note that you'll have to re-encrypt the data for non-GPG clients after disabling this non-standard feature. Also most other things CBHacking wrote are okay, this one is simply wrong. This is not a gpg only feature. > from somebody with an impressive reputation on the network, for whom I > suppose Well, some anonmyous account on stackexchange. I can't tell. Salam-Shalom, Werner [1] Let me quote Peter Gutman, a really well repudiated expert on all things security, on S/MIME: "As a result there's no pressure on the people involved in PKI standardisation to create anything that meets any real-world requirement, allowing them instead to spend their time building great gothic cathedrals of infinite complexity whose sole purpose seems to be to strike awe and terror into the masses." I hope that *PGP stops evolving into this direction. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users