On Tue 2015-06-09 09:28:50 -0400, Simon Josefsson wrote:
It might help to suggest (in the specification) that OpenPGP
implementations MAY implement decrypt support for older crypto
algorithms but MUST NOT encrypt using them.
Otherwise I suspect that implementations might accidentally (or not) end
up implement both encrypt and decrypt because that is the natural way of
implementing crypto, and supporting both variants simplify testing (you
can test roundtrips). However doing that is bad for security.
I agree with this approach for encryption algorithms (something like MAY
decrypt, MUST NOT encrypt), and probably with something analogous for
outdated signature algorithms (e.g. MAY verify, MUST NOT sign).
We'd also want to provide guidance that encourages signalling to the
user somehow that while the decryption was successful, the
confidentiality of the content can't be assured. Some similar semantics
should be exposed about the verified signature being unreliable due to
known-weak crypto.
--dkg
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp