On Sat, 12 Oct 2019 02:23, Robert J. Hansen said: > on Enigmail was very real. It was created by an ambiguity in how GnuPG > returns error states: just because GnuPG says "decryption OK" doesn't
Nope. They did not read the documentation and did not checked error codes. We suggest for a reason to use GPGME to make error checking easy. You can't just code things down along some specs without thinking over the implications. Still, TB is still subject to those attacks because their primary encryption protocol is S/MIME and the last time I checked S/MIME (well, CMS for the nitpickers) does not supoport any kind of authenticated encryption. In contarst OpenPGP provides this nearly for 2 decades. Mozilla has not even stepped forward and implemented one of the meanwhile old proposal to move to AE. So Microsoft had to take the lead to do this (rumors are that the next OL version will allow for GCM mode) After 20 years of strong resistance against implementing OpenPGP [1], they finally seem to do it. That is a good move. Shalom-Salam, Werner [1] Back in ~1999, when Mozilla rewrote the entire mail engine, I implemented a first version of PGP/MIME code which was rejected due to their policy of only supporting S/MIME. For a term paper a German student later took up on my code, extended and cleaned it up. Again it was rejected. About 2005 we had a meeting with them to propose that we implement S/MIME again in a way that would comply to the strong policy requirements here in Germany and also to implement OpenPGP as an additional protocol. It was again rejected. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users