Specifically, I have been saying that in normal PGP usage, the PGP MDC is not relevant. Since each message is self contained (no ongoing connection), it is better to authenticate the plaintext directly with a signature. For an unsigned message an attacker can replace the whole thing. For the case of symmetrical encryption, the PGP MDC is relevant. So it depends...
>the PGP MDC is as secure as an authenticated cipher mode.
It is. It turns out there is a class of authenticated encryption that involves first hashing the plaintext and then encrypting the plaintext and the hash. OCFB-MDC seems to be an instance of that class. That seems to defy conventional wisdom and as a result is interesting.
More: https://articles.59.ca/doku.php?id=pgpfan:authenticated (my article)
>the PGP MDC is as secure as an authenticated cipher mode.
It is. It turns out there is a class of authenticated encryption that involves first hashing the plaintext and then encrypting the plaintext and the hash. OCFB-MDC seems to be an instance of that class. That seems to defy conventional wisdom and as a result is interesting.
More: https://articles.59.ca/doku.php?id=pgpfan:mdc (my article)