This post doesn't adequately explain how MDC isn't broken: if my PGP implementation gives me unauthenticated data, then I am not doing authenticated encryption no matter what might be smashed onto the end of my ciphertext. Folding authentication into the correctness decryption phase is the only secure and misuse-resistant way to do authenticated encryption; PGP fails to provide either.
We can nitpick about the factuality of the "16 bit" claim or the truncation attack (which I believe GPG has since fixed), but neither directly contradicts the above.
> Note that since PGP addresses offline non-connected media it is simpler to directly authenticate the material. So the sort of thing that is being described here as "authenticated encryption" is not usually relevant[2].
Okay, but you just pointed to this property as a "huge footgun" in age. Why is it a footgun there, and not in PGP?
Besides, this is entirely ignoring actual use patterns: age is intended for offline file encryption, while PGP is used in all kinds of online channels and directly advertises itself as a "toolbox" for any purpose.
>Folding authentication into the correctness decryption phase is the only secure and misuse-resistant way to do authenticated encryption...
Again, PGP does not do things the same way TLS does. I do not see how you can possibly prove that other approaches can not be secure.
>We can nitpick about the factuality of the "16 bit" claim or the truncation attack (which I believe GPG has since fixed), but neither directly contradicts the above.
There is no nitpicking involved here. The claim is straight up wrong. The author of The PGP Principle either misread the email thread or deliberately misrepresented it. GPG could not fix that which was not broken.
>Okay, but you just pointed to this property as a "huge footgun" in age. Why is it a footgun there, and not in PGP?
Please read this article to understand how PGP does things:
We can nitpick about the factuality of the "16 bit" claim or the truncation attack (which I believe GPG has since fixed), but neither directly contradicts the above.
> Note that since PGP addresses offline non-connected media it is simpler to directly authenticate the material. So the sort of thing that is being described here as "authenticated encryption" is not usually relevant[2].
Okay, but you just pointed to this property as a "huge footgun" in age. Why is it a footgun there, and not in PGP?
Besides, this is entirely ignoring actual use patterns: age is intended for offline file encryption, while PGP is used in all kinds of online channels and directly advertises itself as a "toolbox" for any purpose.