Re: 2.2.43 and vsd-allow-ocb
On Mon, 6 May 2024 18:26, Andreas Metzler said: > So in my test (without --compliance=de-vs) 2.2.43 /should/ have > automatically used OCB when encrypting for a key which has 'AEAD: OCB' > set? Yes.Check with --debug=lookup which and why keys are selected. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 2.2.43 and vsd-allow-ocb
On 2024-05-06 Werner Koch wrote: > On Sat, 4 May 2024 18:45, Andreas Metzler said: > > rG0a355b2fe7d8 gpg: Add compatibility flag "vsd-allow-ocb" > > rGa545e14e8a74 gpg: Support OCB encryption. > > Which understand to mean that 2.2.43 would by default both generate keys > > with 'AEAD: OCB' and use OCB when encrypting to keys with that flag set. > > And this behavior could have been disabled with '--compatibility-flags > No misunderstood this. OCB encryption is indeed supported regardless of > the compatibiliy flag. > What the compatibility flag does is to allow OCB also in > --compliance=de-vs mode. [...] Hello Werner, So in my test (without --compliance=de-vs) 2.2.43 /should/ have automatically used OCB when encrypting for a key which has 'AEAD: OCB' set? cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 2.2.43 and vsd-allow-ocb
Hi! On Sat, 4 May 2024 18:45, Andreas Metzler said: > rG0a355b2fe7d8 gpg: Add compatibility flag "vsd-allow-ocb" > rGa545e14e8a74 gpg: Support OCB encryption. > Which understand to mean that 2.2.43 would by default both generate keys > with 'AEAD: OCB' and use OCB when encrypting to keys with that flag set. > And this behavior could have been disabled with '--compatibility-flags No misunderstood this. OCB encryption is indeed supported regardless of the compatibiliy flag. What the compatibility flag does is to allow OCB also in --compliance=de-vs mode. This was required because at the time of the release we had not yet an approval to use this for VS-NfD/Restricted communication. Thus in the GnuPG VS-Desktop configuraion this option is only set after we received the approval. For key generation the flag is indded not set by default: /* For now we require a compat flag to set OCB into the preferences. */ if (!(opt.compat_flags & COMPAT_VSD_ALLOW_OCB)) ocb = 0; Becuase we don't want to create key so that sites required to use de-vs compliance mode won't end up with keys which claim to support a non-approved encryption scheme. Thanks for this reminder, that compatibility flag can now be removed. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
2.2.43 and vsd-allow-ocb
Hello, 2.2.42`s NEWS said * gpg: Support OCB encryption. [T6263] and https://dev.gnupg.org/T6263 shows two commits rG0a355b2fe7d8 gpg: Add compatibility flag "vsd-allow-ocb" rGa545e14e8a74 gpg: Support OCB encryption. The commit message for 0a355b2fe7d8 said | * g10/gpg.c (compatibility_flags): Add "vsd-allow-ocb". | (main): And set it. Which understand to mean that 2.2.43 would by default both generate keys with 'AEAD: OCB' and use OCB when encrypting to keys with that flag set. And this behavior could have been disabled with '--compatibility-flags none'. However afaict (gpg --compatibility-flags ?) the flag is not set by default and indeed --quick-generate-key without --compatibility-flags vsd-allow-ocb generates a key without "AEAD: OCB" and does not use OCB for encrypting to a key with "AEAD: OCB" set. Is my understanding flawed? cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
