On Mon, Mar 04, 2024 at 12:03:41PM +0100, Tobias Leupold via Gnupg-users wrote: [...] > After some research, I found > > https://github.com/open-keychain/open-keychain/issues/2886 , > > describing this exact issue.
That would be the cipher block mode proliferation issue. > As a possible fix, disabling the unsupported AEAD > mechanism in the key itself was mentioned, the Arch folks write: > > https://wiki.archlinux.org/title/GnuPG#Disable_unsupported_AEAD_mechanism Thank you for this. Up to now I did not know how to do this for GnuPG. > > They also claim that "many downstreams attempt to remove this new default by > patching the GnuPG sources". I don't know if this is true, but I would not be surprised. It turns out that the current existing cipher block mode (OCFB-MDC, SEIP) is cryptographically secure, even though there are lot of misleading legends that insist that it is not. So as a user, I have no incentive to use another block mode unless I want higher encryption performance or different error handling. Few users actually want or need those features. All users want interoperability. That, after all, is why the OpenPGP standard exists. People with special needs normally use dedicated encryption utilities with no interoperability with anything else. > > I'm not that deep into cryptography. I'm not sure I completely grasp what > AEAD > and OCB mean. Just different terms for the same new and incompatible cipher block mode for the purposes of this discussion. > > So: Is it wise and/or necessary to disable that for new GnuPG generated keys, > for the sake of interoperability? Ah... That question leads to an awkward discussion these days. There was a IETF standards process that led to the OCB mode now supported by GnuPG and others. GnuPG (and others) implemented it before the new standard was officially released (there seemed to be consensus). That standards process then dropped the GnuPG OCB mode and created 3 new modes. So currently, there are the two modes that the OpenPGP standard currently specifies and four proposed modes for a total of 6 modes, each completely incompatible with any other mode. So there is a potential for a interoperability disaster here. > Or will the others catch up and implement it? Which mode(s) should they implement? There are at least two factions. It seems unlikely that any faction will implement the other faction's modes. > Or is there a good reason not to do so? At this point I personally believe that everyone should step back from this potential war and stop generating new modes by default. As a user I can happily wait until an actual consensus is reached. Heck, I can happily wait past that. There is no hurry here. The big usability problem now is that the implementations are not making all this clear. GnuPG for instance doesn't even have an entry in the FAQ about this problem. Most users will not be able to overcome this sort of issue and will have to just give up. Anyway, I wrote a whole rant about this: * https://articles.59.ca/doku.php?id=pgpfan:schism I have added your Openkeychain references to my list of problems caused by new OpenPGP cipher block modes. Thanks. * https://articles.59.ca/doku.php?id=pgpfan:noae_shame Bruce _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
