PGP 5.x and GnuPG

sen_ml@eccosys.com sen_ml@eccosys.com
Fri, 17 Mar 2000 13:32:48 +0900 

trevor> OK, next question: what the heck is a v3 key? And a v4 key (referred
trevor> to later in your reply)?

if what is being referred to is key material packets, see sections 5.5.2 of
rfc 2440:

   There are two versions of key-material packets. Version 3 packets
   were first generated by PGP 2.6. Version 2 packets are identical in
   format to Version 3 packets, but are generated by PGP 2.5 or before.
   V2 packets are deprecated and they MUST NOT be generated.  PGP 5.0
   introduced version 4 packets, with new fields and semantics.  PGP
   2.6.x will not accept key-material packets with versions greater than
   3.

   OpenPGP implementations SHOULD create keys with version 4 format. An
   implementation MAY generate a V3 key to ensure interoperability with
   old software; note, however, that V4 keys correct some security
   deficiencies in V3 keys. These deficiencies are described below. An
   implementation MUST NOT create a V3 key with a public key algorithm
   other than RSA.

more details as to exactly what is the case for v3 and v4 key material
packets are available in the rfc.

(it seems that rfc 2440 is in the process of being updated so some of
the info may be out of date at some point in the near future.)

trevor> Weird. Doesn't the OpenPGP RFC start by saying that OpenPGP is a
trevor> proposed standard based on PGP 5.0? How did PGP5 manage not to comply
trevor> with the RFC based on it?

are you referring to the bit in section 1.1 that says:

    * OpenPGP - This is a definition for security software that uses
      PGP 5.x as a basis.

?

to me, "uses PGP 5.x as a basis" means "PGP 5.x was used as a starting
point", but what resulted (OpenPGP) doesn't necessarily have to be
backward compatible.  i think the wording in the rfc can be misleading
or confusing though.  also, i assume 5.x includes 5.0, 5.5.x, etc.  i
think it couldn't hurt to mention the existence of incompatibilities
w/ 5.0, if there are any.

perhaps you already know, but if not, you might find:

  http://www.imc.org/ietf-open-pgp/

to be of interest.