RSA & IDEA Howto (Was Re: Signing (with) old pgp 2 keys)

Tue Jul 20 10:32:49 CEST 1999

Thanks for making this HOWTO.  I have a few suggestions for it:

On Jul 20, 12:57pm, Michael Roth wrote:
...
> * If you're inside the US or Canada you should use the RSAREF glue code
>   for GnuPG. Get it from ftp://ftp.guug.de/pub/gcrypt/contrib/rsaref.c
>   Of course you need the RSAREF library compiled and installed already.
>   Take a look in the documentation of the RSAREF library for the way to
>   do this.

I suggest including a URL for RSAREF 2.0:
    ftp://ftp.funet.fi/pub/crypt/cryptography/asymmetric/rsa/rsaref2.tar.gz
RSAREF 1 can be found at 
    ftp://non-us.debian.org/debian-non-US/dists/stable/non-US/source/rsaref_19930105.orig.tar.gz

> Installing the compiled modules:
> ================================
> After you compiled these two modules you get two files `rsa' and `idea'
> which are the modules you must install in the GnuPG module directory.
> The default GnuPG module directoy is `/usr/local/lib/gnupg'. If you
> compiled GnuPG with a different install prefix using "--prefix PREFIX"
> when you configured your GnuPG source, then the module directoy is equal
> to "PREFIX/lib/gnupg".
> Copy the two files `rsa' and `idea' into the module directory described
> above.  Make sure everyone could read these files.

Note that the modules don't need to be there because you can also load
extensions from other directories by using complete pathnames with
--load-extension.

> You don't have to make
> these files executale. These files aren't programms but shared modules.

I found that to be untrue on HPUX; shared modules need to be executable there.
GnuPG 0.9.8 no longer removes execute permissions when it installs its
default extensions because of that.  I suggest dropping the above statement.

On Jul 20,  2:28pm, Remi Guyomarch wrote:
> Subject: Re: RSA & IDEA Howto  (Was Re: Signing (with) old pgp 2 keys)
> On Tue, Jul 20, 1999 at 12:57:10PM +0200, Michael Roth wrote:
> [...] 
> > Currently it is not possible to create PGP 2.6 compliant signatures with
> > GnuPG. However, you could decrypt and verify messages signed with PGP 2.6
> > using GnuPG without problems. The reason is that GnuPG doesn't use
> > tempfiles which were necessary to create PGP 2.6 compliant signatures. To
> > check such signatures it isn't necessary to use tempfiles. However, their
> > is work on a frontend to GnuPG in progress which will create PGP 2.6
> > compliants signatures. Please note: This tool is not yet finished.
> > 
> > You could not create convetionally encrypted messages readable for PGP 2.6
> > nor could you decrypt such messages created from PGP 2.6 with GnuPG.
> 
> I patched GnuPG to solve these issues. For various reasons
> (see http://lists.gnupg.org/gnupg-devel-9903/msg00033.html and
>      http://lists.gnupg.org/gnupg-devel-9903/msg00037.html)
> this patch won't be integrated into GnuPG.
> 
> But I still maintain it for my own usage. I can email to anyone requesting it 
> the diff between the current GnuPG and my version (don't try the patch in my 
> original message).

This is not entirely true either: if you use "--clearsign" then pgp 2.6 can
verify the signature.  This is very significant in my opinion.  As far as I
can tell, pgp 2.6 only has trouble verifying gpg signatures if you use "--sign".

- Dave Dykstra