[Gpg4win-devel] efail -> improvements

Andre Heinecke aheinecke at intevation.de
Tue May 15 13:29:14 CEST 2018


Hi,

On Tuesday, May 15, 2018 12:47:38 PM CEST Bernhard Reiter wrote:
> Am Dienstag 15 Mai 2018 10:07:58 schrieb Andre Heinecke:
> > > >  c) a signature over the whole contents from someone where it has been
> > > >     encrypted to (if this is feasable to detect).
> 
> As just outlined on gnupg-devel@: it maybe enough if the hash property
> of the signature is used as message integrity checking.

Yes that would mitigate most of my concerns regarding validity. If we only 
check integrity through a signature and not authenticity it will be less error 
prone.

> > We use GPGME and GPGME honors GnuPG's warnings and error messages. To be
> > honest I didn't really know about the importance of MDC when implementing
> > decryption in GpgOL. But this shows again that as a frontend developer
> > using GPGME makes it easy to stay secure as it just "does the right 
thing".
> 
> The point is to recheck that we do not display anything.
> (It is likely that this is already like it should be cause of the use of 
> GPGME.)

I've just double checked. Regarding the MDC errors we are fine for files, too. 
There is no way to get decrypted data from Kleopatra or GPA on an MDC error if 
you do not explicitly disable the use of MDC in your config. The errors are 
confusing though.

Task for this: https://dev.gnupg.org/T3983

> We'd probably take the opportunity to disable the old support for Outlook 
> 2007, 2003 now (as was already planned, deprecated and announced).

I've opened a task for this: https://dev.gnupg.org/T3984

Best Regards,
Andre
-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-devel/attachments/20180515/80abc19f/attachment.asc>


More information about the Gpg4win-devel mailing list