aboutsummaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/gpg.texi21
1 files changed, 16 insertions, 5 deletions
diff --git a/doc/gpg.texi b/doc/gpg.texi
index d44a9a211..8975cf9cd 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -2848,16 +2848,17 @@ different compliance option in the gpg.conf file.
@item --openpgp
@opindex openpgp
Reset all packet, cipher and digest options to strict OpenPGP
-behavior. Use this option to reset all previous options like
-@option{--s2k-*}, @option{--cipher-algo}, @option{--digest-algo} and
+behavior. This option implies @option{--allow-old-cipher-algos}. Use
+this option to reset all previous options like @option{--s2k-*},
+@option{--cipher-algo}, @option{--digest-algo} and
@option{--compress-algo} to OpenPGP compliant values. All PGP
workarounds are disabled.
@item --rfc4880
@opindex rfc4880
Reset all packet, cipher and digest options to strict RFC-4880
-behavior. Note that this is currently the same thing as
-@option{--openpgp}.
+behavior. This option implies @option{--allow-old-cipher-algos}.
+Note that this is currently the same thing as @option{--openpgp}.
@item --rfc4880bis
@opindex rfc4880bis
@@ -2869,7 +2870,8 @@ proposed updates of RFC-4880.
Reset all packet, cipher and digest options to strict RFC-2440
behavior. Note that by using this option encryption packets are
created in a legacy mode without MDC protection. This is dangerous
-and should thus only be used for experiments. See also option
+and should thus only be used for experiments. This option implies
+@option{--allow-old-cipher-algos}. See also option
@option{--ignore-mdc-error}.
@item --pgp6
@@ -3391,6 +3393,15 @@ necessary to get as much data as possible out of that garbled message.
Be aware that a missing or failed MDC can be an indication of an
attack. Use with great caution; see also option @option{--rfc2440}.
+@item --allow-old-cipher-algos
+@opindex allow-old-cipher-algos
+Old cipher algorithms like 3DES, IDEA, or CAST5 encrypt data using
+blocks of 64 bits; modern algorithms use blocks of 128 bit instead.
+To avoid certain attack on these old algorithms it is suggested not to
+encrypt more than 150 MiByte using the same key. For this reason gpg
+does not allow the use of 64 bit block size algorithms for encryption
+unless this option is specified.
+
@item --allow-weak-digest-algos
@opindex allow-weak-digest-algos
Signatures made with known-weak digest algorithms are normally
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-18 20:51:33 +0000