Jon Callas <j...@callas.org> writes: >Okay, password-protected files would get it, too. I won't ask why you're >sending password protected files to an agent.
They're not technically password-protected files but pre-shared key (PSK) protected files, where the keys have a high level of entropy (presumably 128 bits, but I don't know the exact figure). So in this case the S2K isn't actually necessary because of the choice of password/PSK used. (Sorry, for non-OpenPGP folks "S2K" = "string to key", a parameterised way of processing a password, for example by iterated hashing with a salt, into a key). >By the way, do you think it's safe to phase out MD5? That will break all the >PGP 2 users. The answer depends on what sort of user base you expect to have to support. In my case I disable things that I don't think get used much in betas and see if anyone complains. If no-one does, it remains disabled in the final release. Now if only I could rearrange this process so I didn't have to implement support for assorted practically-unused mechanisms in the first place... This is another interesting philosophical debate: What do other people do in terms of deprecating obsolete/insecure/little-used mechanisms? Deprecate by stealth? Flag day? Support it forever? Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com