On 6/27/2014 6:31 PM, Johannes Zarl wrote: > 1. legacy PGP implementations in closed corporate environments
Be careful about that phrase "legacy." Too often it's used as a slur. It's more accurate to say, "PGP installations in corporate environments." There's no reason to think these installations are closed, or that the IT departments are being unreasonable. Just because they're not doing what you think they should doesn't mean they're not playing with a full deck. > Group 1 can afford not to have frequent security updates since the systems > are > isolated from the internet and don't upgrade because this would incur a > significant cost with little benefit. The "since" is probably inaccurate. Group 1 can afford to keep using PGP 8.x because it meets their needs. They don't upgrade because it doesn't make business sense to do so. > The way I see it compatibility between those two groups is a non-issue - they > simply don't exchange messages. You may not exchange emails with corporations; many other people do. > Arguing that "internet-users" should not adopt SHA-x because SHA-1 is the > only > thing supported by legacy systems makes about as much sense as arguing that > "legacy-users" should throw money into upgrading their isolated systems. That's a subtle rephrasing of the position -- and an inaccurate one. SHA-x should not be used *by default in places where it would break the spec*. But no one is saying that SHA-x should not be used, period, nor is anyone saying that if after careful deliberation you decide that breaking the spec is appropriate, that you shouldn't do so. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
