PGP compatibility

Mark H. Wood mwood@IUPUI.Edu
Fri, 24 Sep 1999 08:32:10 -0500 (EST) 

On Thu, 23 Sep 1999, R. Jackson wrote:

> Ok, this may make me sound stupid, but how compatible is GPG 1.0 with

> PGP (any version)? I've read the FAQs and documentation, but I'm

> confused about which versions of PGP will not work with feature X or Y

> of GPG, and vice versa. For example:

> 

> Can PGP encrypted items using algorithms X and Y be properly decrypted

> by GPG?

> Which PGP versions can't read GPG signatures that use algorithm X?


My interpretation:

If algorithm X requires that you pay for the right to use it, GPG doesn't
have it.  (These requirements are considered unenforceable in some parts
of the world, and people have built addons that can be used in such
places.  If you live elsewhere, I would advise against using the addons.)

If algorithm X requires that you not disclose source, GPG doesn't have it.
(Again there may be exceptions in some parts of the world.)

If an implementation of algorithm Y may be published in source and
distributed without fee, then it's either in GPG or someone is probably
working on it.

RSA is not free.  IDEA is not free.  There are addons for them but it is
arguably illegal to use them in many parts of the world.

Sorry -- that's the best I can do.  I think that R. Jackson wanted
something like:

			PGP2	PGP5	GPG
RSA			X	X
IDEA			X	X
DSA			X	X	X
Twofish				X	X
 etc.

but I don't know enough to supply it.  (In fact the table above is
probably inaccurate.)  Could someone who *does* know the score work up a
compatibility table and insert it into the GPG documentation?

Personally, the bulk of the signed mail I get evokes one or more
"unsupported algorithm" complaints and winds up being unverifiable.  I'm
seeing an increase in verifiable signatures, but no decrease in
unverifiable ones.  So the news is good and bad. :-/

++++++++++++++

IANAL but I believe that U.S. patents may be extended (once) upon
application.  The extension grants an additional 17 years.  If RSADSI has
something waiting in the wings that will make more money than continuing
to sell RSA then they may allow the RSA patent to expire, but if not then
they may apply for an extension.  Don't get your hopes up too high.  (I
have no idea how this affects anyone in any other country -- I have
enough trouble understanding only U.S. laws.)

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Please, no more software products offering a "richer experience"!  I have
indigestion of the brain already.  Give me a more ascetic experience.