- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Mon, Jan 6
Sun, Jan 5
Fri, Jan 3
Change the encryption code to only allow 256 bit session keys with Kyber regardless of the preferences, iff --require-pqc-encryption is set. […] We could as well also encforce AES-256 also without that option.
What if we encrypt to several recipients, only some of them having a Kyber encryption key? Should we still enforce AES-256 in that case regardless of the preferences, and assume that by now everybody should support AES-256?
Love it! I think I am going to use “post-heffalump crypto” from now on. :D
But keep https://www.cs.auckland.ac.nz/~pgut001/pubs/heffalump_crypto.pdf in mind ;-)
Thu, Jan 2
I wrote it with PQC security level in mind which requires AES256 for the session key as well.
That is what I expected. Meanwhile I re-read the code and history and can tell that the comment is not correct. I wrote it with PQC security level in mind which requires AES256 for the session key as well. However, during the migration phase and as long as --require-pqc-encryption is not enable we should allow an AES-128 session key. This is for the rare case that encryption is also done for non pqc keys which don't have the AES-256 capability set.
Here you are:
At gnupg/g10/pubkey-enc.c you will find
I have replaced the expiring test key with a new non-expiring test key.
@ikloecker: Do you still have the private key for tests/json/key-with-revokers.asc somewhere? We need to remove the expiration date due to T7471.
Wed, Jan 1
Users landing here looking for help.
This looks like a bug with gnutls which is the only tool that fails :
Tue, Dec 31
Mon, Dec 30
Thank you. Fixed in: rPb415f3108921: build: Fix warning about obsolete pinentry-emacs.