> We *know* 2.6 is insecure. For signatures, yes (due to MD5 being first broken 20 years ago, and by now even the rubble has stopped bouncing). For encryption in an active attacker model, yes (due to lack of MDC/AE). For encryption in a passive attacker model, it's still strong. Not as strong as I'd like, and there are definitely some warts, but -- in that specific context it's still usable.
> What on earth is the point of maintaining > support for a *known insecure* version of a security tool? Because each time GnuPG floats the possibility of ending PGP 2.6 compatibility, there's enough user outrage -- and not enough user support -- to roll the decision back. I agree that it's pants-on-head crazy, but it's a crazy demanded by the community.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net