On Friday 27 June 2014 20:51:00 Werner Koch wrote: > On Fri, 27 Jun 2014 19:46, pe...@digitalbrains.com said: > > I however have no clue what you expose yourself to when you still use PGP > > 8.x. It could be possible that these guys take irresponsible risks, I > > don't know. > They will tell you that they send the encrypted messages only within > their VPN and that the company policy requires end to end encryption. > Check box security.
So basically there are (at least) two user groups: 1. legacy PGP implementations in closed corporate environments 2. people who want to exchange messages over the internet Group 1 can afford not to have frequent security updates since the systems are isolated from the internet and don't upgrade because this would incur a significant cost with little benefit. Group 2 is willing to keep their software up to date, but are in a generally more "attackable" environment. They push for "more secure" standards and defaults (whatever that means). The way I see it compatibility between those two groups is a non-issue - they simply don't exchange messages. Arguing that "internet-users" should not adopt SHA-x because SHA-1 is the only thing supported by legacy systems makes about as much sense as arguing that "legacy-users" should throw money into upgrading their isolated systems. Cheers, Johannes _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
