RSA & IDEA Howto (Was Re: Signing (with) old pgp 2 keys)

Tue, 20 Jul 1999 09:32:49 -0500

Thanks for making this HOWTO.  I have a few suggestions for it:

On Jul 20, 12:57pm, Michael Roth wrote:
...

> * If you're inside the US or Canada you should use the RSAREF glue code

>   for GnuPG. Get it from ftp://ftp.guug.de/pub/gcrypt/contrib/rsaref.c

>   Of course you need the RSAREF library compiled and installed already.

>   Take a look in the documentation of the RSAREF library for the way to

>   do this.

I suggest including a URL for RSAREF 2.0:
    ftp://ftp.funet.fi/pub/crypt/cryptography/asymmetric/rsa/rsaref2.tar.gz
RSAREF 1 can be found at 
    ftp://non-us.debian.org/debian-non-US/dists/stable/non-US/source/rsaref_19930105.orig.tar.gz

> Installing the compiled modules:

> ================================

> After you compiled these two modules you get two files `rsa' and `idea'

> which are the modules you must install in the GnuPG module directory.

> The default GnuPG module directoy is `/usr/local/lib/gnupg'. If you

> compiled GnuPG with a different install prefix using "--prefix PREFIX"

> when you configured your GnuPG source, then the module directoy is equal

> to "PREFIX/lib/gnupg".

> Copy the two files `rsa' and `idea' into the module directory described

> above.  Make sure everyone could read these files.

Note that the modules don't need to be there because you can also load
extensions from other directories by using complete pathnames with
--load-extension.

> You don't have to make

> these files executale. These files aren't programms but shared modules.

I found that to be untrue on HPUX; shared modules need to be executable there.
GnuPG 0.9.8 no longer removes execute permissions when it installs its
default extensions because of that.  I suggest dropping the above statement.

On Jul 20,  2:28pm, Remi Guyomarch wrote:

> Subject: Re: RSA & IDEA Howto  (Was Re: Signing (with) old pgp 2 keys)

> On Tue, Jul 20, 1999 at 12:57:10PM +0200, Michael Roth wrote:

> [...] 

> > Currently it is not possible to create PGP 2.6 compliant signatures with

> > GnuPG. However, you could decrypt and verify messages signed with PGP 2.6

> > using GnuPG without problems. The reason is that GnuPG doesn't use

> > tempfiles which were necessary to create PGP 2.6 compliant signatures. To

> > check such signatures it isn't necessary to use tempfiles. However, their

> > is work on a frontend to GnuPG in progress which will create PGP 2.6

> > compliants signatures. Please note: This tool is not yet finished.

> > 

> > You could not create convetionally encrypted messages readable for PGP 2.6

> > nor could you decrypt such messages created from PGP 2.6 with GnuPG.

> 

> I patched GnuPG to solve these issues. For various reasons

> (see http://lists.gnupg.org/gnupg-devel-9903/msg00033.html and

>      http://lists.gnupg.org/gnupg-devel-9903/msg00037.html)

> this patch won't be integrated into GnuPG.

> 

> But I still maintain it for my own usage. I can email to anyone requesting it 

> the diff between the current GnuPG and my version (don't try the patch in my 

> original message).

This is not entirely true either: if you use "--clearsign" then pgp 2.6 can
verify the signature.  This is very significant in my opinion.  As far as I
can tell, pgp 2.6 only has trouble verifying gpg signatures if you use "--sign".

- Dave Dykstra