Generating PGP 2.6.2-compatible RSA signing keys with GnuPG

Michael Young mwy-gpg41 at the-youngs.org
Thu Mar 28 20:41:02 CET 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> From: Werner Koch <wk at gnupg.org>
> GnuPG does not create the old v3 keys used with PGP2.  There are good
> reasons not to support the old format any longer; it has some minor
> flaws.  GnuPG can use these v3 keys without any problems, though.

The flaws are not in the key itself.  They're in the fingerprint
and keyId computations that get used for identification.  You don't
*have* to use these forms of identification in order to use the key.

As Len noted, you can convert a V4 RSA key to a V3 key (or vice
versa).  Lookups won't work, and signatures binding that key to
names (even the self-signature) won't be valid.  But signatures
made *by* the key, or material encrypted to the key will be
perfectly usable.  [Also, note that generating a V4 key and
converting to V3 doesn't address the root problem; it's just
a workaround.]

> I'd suggest that you either create the key using PGP2, continue to use
> an old one or send private mail to discuss whether I can provide an
> inofficial patch for this.

Here, the user appears willing to live with the identification issue.
Others are using PGP2.6 anyway, so they already have to be (or should
be) careful with identification.  Their key distribution and
verification may not depend on keyId or fingerprint behavior.

If someone is willing to make an patch for it, I would plead for
making it official.  I would not make it easy -- a separate switch
("--gen-v3-key") and requiring the "--expert" switch seems reasonable.

If I thought there were only one user looking for this, an unofficial
patch would make more sense to me.  I've seen questions here and in
newsgroups that suggest that this is not a unique desire.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBPKNwp1MkvpTT8vCGEQJ/DwCgvn4wSCa6NqfFECU69Z0g3vwCHfsAn3rV
puxSxGteUvVNiUCB7OSsZR1N
=ZuJI
-----END PGP SIGNATURE-----






More information about the Gnupg-devel mailing list