RSA & IDEA Howto (Was Re: Signing (with) old pgp 2 keys)
Dave Dykstra
dwd@bell-labs.com
Tue, 20 Jul 1999 09:32:49 -0500
Thanks for making this HOWTO. I have a few suggestions for it:
On Jul 20, 12:57pm, Michael Roth wrote:
...
> * If you're inside the US or Canada you should use the RSAREF glue code
> for GnuPG. Get it from ftp://ftp.guug.de/pub/gcrypt/contrib/rsaref.c
> Of course you need the RSAREF library compiled and installed already.
> Take a look in the documentation of the RSAREF library for the way to
> do this.
I suggest including a URL for RSAREF 2.0:
ftp://ftp.funet.fi/pub/crypt/cryptography/asymmetric/rsa/rsaref2.tar.gz
RSAREF 1 can be found at
ftp://non-us.debian.org/debian-non-US/dists/stable/non-US/source/rsaref_19930105.orig.tar.gz
> Installing the compiled modules:
> ================================
> After you compiled these two modules you get two files `rsa' and `idea'
> which are the modules you must install in the GnuPG module directory.
> The default GnuPG module directoy is `/usr/local/lib/gnupg'. If you
> compiled GnuPG with a different install prefix using "--prefix PREFIX"
> when you configured your GnuPG source, then the module directoy is equal
> to "PREFIX/lib/gnupg".
> Copy the two files `rsa' and `idea' into the module directory described
> above. Make sure everyone could read these files.
Note that the modules don't need to be there because you can also load
extensions from other directories by using complete pathnames with
--load-extension.
> You don't have to make
> these files executale. These files aren't programms but shared modules.
I found that to be untrue on HPUX; shared modules need to be executable there.
GnuPG 0.9.8 no longer removes execute permissions when it installs its
default extensions because of that. I suggest dropping the above statement.
On Jul 20, 2:28pm, Remi Guyomarch wrote:
> Subject: Re: RSA & IDEA Howto (Was Re: Signing (with) old pgp 2 keys)
> On Tue, Jul 20, 1999 at 12:57:10PM +0200, Michael Roth wrote:
> [...]
> > Currently it is not possible to create PGP 2.6 compliant signatures with
> > GnuPG. However, you could decrypt and verify messages signed with PGP 2.6
> > using GnuPG without problems. The reason is that GnuPG doesn't use
> > tempfiles which were necessary to create PGP 2.6 compliant signatures. To
> > check such signatures it isn't necessary to use tempfiles. However, their
> > is work on a frontend to GnuPG in progress which will create PGP 2.6
> > compliants signatures. Please note: This tool is not yet finished.
> >
> > You could not create convetionally encrypted messages readable for PGP 2.6
> > nor could you decrypt such messages created from PGP 2.6 with GnuPG.
>
> I patched GnuPG to solve these issues. For various reasons
> (see http://lists.gnupg.org/gnupg-devel-9903/msg00033.html and
> http://lists.gnupg.org/gnupg-devel-9903/msg00037.html)
> this patch won't be integrated into GnuPG.
>
> But I still maintain it for my own usage. I can email to anyone requesting it
> the diff between the current GnuPG and my version (don't try the patch in my
> original message).
This is not entirely true either: if you use "--clearsign" then pgp 2.6 can
verify the signature. This is very significant in my opinion. As far as I
can tell, pgp 2.6 only has trouble verifying gpg signatures if you use "--sign".
- Dave Dykstra