Compatibility

Thu, 13 Apr 2000 14:54:22 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 13 Apr 2000, Lazarus Long wrote:

> On Thu, Apr 13, 2000 at 10:32:46PM +0200, Johan Lundberg wrote:

>  > On Thu, 13 Apr 2000, L. Sassaman wrote:

>  > 

>  > >Be sure you are using a cipher that both products can understand. 3DES is

>  > >the most logical, since it is required by RFC 2440. CAST is the default

>  > >cipher in PGP, and Blowfish in GnuPG. PGP does not implement Blowfish, so

>  > >this is most likely your problem.

>  > 

>  > So, why does GPG default to something that pgp cant handle?

> 

> So why does PGP default to something that GnuPG can't handle?

> 

> The point is to be compatible with the spec (the RFC) not with some

> commercial software.  If some commercial software, any commercial

> software, happens to be compliant with the RFC, then interoperability

> should be possible.  That's one of the reasons for compliance with

> standards.

I personally believe that defaulting to 3DES would make sense, for any
OpenPGP product. But that's just a personal opinion. And I think that
being compatable with the other OpenPGP implementations is imporant...

> However, I am now curious why the commercial (NAI) PGP doesn't support

> open source Blowfish.  But, being a commercial endeavor, I suppose I

> should not care very much what they (NAI) do or do not support.  As long

> as GnuPG remains standards-compliant I should be happy.  The fact that NAI

> chose to make their product noncompliant with the standard (in another

> manner) is deplorable (in my opinion.)  They are certainly not something

> to be emulated.

Okay, get your facts straight. Aside from the photo-id packet issue, which
would have/should have been in the RFC had it not been brought up rather
late in the cycle, PGP is compatable with RFC 2440. If someone knows of
any other issue of non-compliance, please let me know. PGP 5.x is not
compliant. Why? There was no standard to comply *with*. So I don't care
about 5.x violations. Show me 6.0 non-compliance issues, other than the
photo-id packet. Please. (And by the way, OpenPGP *is* an emulation of PGP
Inc.'s product. ;) )

As for the reasons for not implementing Blowfish, that's simple. It isn't
necessary. PGP implements all the MUST and SHOULD algorithms. Incidently,
GnuPG doesn't; implementing IDEA and RSA are SHOULDs. I understand
Werner's reasoning, and I am sure that RSA support will be present as soon
as the patent expires.

Adding Blowfish wouldn't give the user anything more than they already
have, in my opinion. CAST5, 3DES, IDEA, and Twofish are more than
suffient.

Note, also, that GnuPG does not use DSS by default. The jury is still out
on the effectiveness of RIPEMD160 in place of SHA-1 when used with DSA. It
could be just as secure, but "could be's" are not usually something you
want to mess with in cryptography.

- --Len.

__

L. Sassaman

System Administrator                |  "All of the chaos
Technology Consultant               |   Makes perfect sense..."
icq.. 10735603                      |
pgp.. finger://ns.quickie.net/rabbi |              --Joe Diffie