PGP 6 can't handle ElGamal-only keys

L. Sassaman rabbi at
Mon Jul 17 13:01:20 CEST 2000

Hash: SHA1

On Mon, 17 Jul 2000, Dave Dykstra wrote:

> On Mon, Jul 17, 2000 at 11:27:42AM -0700, L. Sassaman wrote:
> > PGP Has never, and never will, support ElGamal signing keys. There are too
> > many known attacks against them, and supporting them would weaken PGP.
> Why does gpg support them then?

It's a long story... Werner explained it to me in Holland a few months
ago. Basically, he wasn't aware that DSA was freely usable at the time
that he began work on GnuPG, and ElGamal was the next best thing. (He
could remove them now, but there is the backwards compatability issue).

(Note that, as far as I know, GnuPG avoids all the known problems with the
ElGamal keys. But you have no control over what other implementations
might do, and there is no telling what other attacks might be found
against ElGamal signatures in the future.)

I still want to see a "Warning: This key will not interoperate with
PGP" when you try to generate one...
> > Why would you not generate a DSA/ElGamal key instead, if you only intend
> > to use it for encryption?
> It was just a lack of understanding, an assumption that it would be simpler
> to have a single key instead of a signing key plus a sub-encryption key.

Well, just to clarify... "ElGamal only" keys are not a single key. They
are a signing only key, and a separate encryption only subkey (This is how
all v4 keys are, including v4 RSA keys).
> Sigh, we need to generate and redistribute a new key.

Yep. Have fun. :)

> Thanks for the info.

Let me know if you have any other questions.

- --Len.


L. Sassaman

System Administrator                |  "Every window on Alcatraz has
Technology Consultant               |   a view of San Francisco."
icq.. 10735603                      |  
pgp.. finger:// |          --Susanna Kaysen 

Comment: OpenPGP Encrypted Email Preferred.


More information about the Gnupg-devel mailing list