GnuPG - PGP compatibility [Was: Can't compile RSA / IDEA under Windows]

Michel Bouissou michel@bouissou.net
Wed, 6 Sep 2000 15:31:53 +0200 

Werner Koch wrote:


> Have a look at the current keyserver stats (pgp.net):

>

> Version 2 keys:       17763

> Version 3 keys:      115803

> Version 4 keys:     2062301

> RSA keys:            133556

> RSA keys (sign):          8

> RSA keys (encrypt):       8

> ELGamal keys:       1032275

> DSA keys:           1029819

>

> So we have 10 times more DSA/ElGamal keys than old RSA keys; I don't

> see any reason to add more PGP compatibility.


I don't think that these figures give and exact image of the situation. Here is
why:

- PGP 2.x doesn't include any support for keyservers. So PGP 2.x users who want
to put their keys on servers need to perform it outside of PGP, using Web or
mail interfaces.

- PGP 5.x / 6.x includes native keyservers support, and automatically proposes
to the user to send his keys to servers as soon as a key pair is generated.
This will make many people send their keys (especially for newcomers, send keys
that will be lost and never reused ;-) to the servers where PGP 2.x users
wouldn't have sent them.

- Furthermore, current users sticking to PGP 2 may be a little more "paranoiac"
than PGP 5.x or 6.x users, making them more reluctant to distribute their keys
onto keyservers.

So, IMHO, keyserver statistics do not give an exact figure of the real ratio of
PGP 2 vs PGP 6  keys.

Last but not least, a number of tools in usage today, such as anonymous
remailers, heavily rely on PGP 2 and PGP 2 format keys, making them necessary
for interacting with such systems.


>  The old RSA keys are

> usable without any restrictions in 2 weeks,  IDEA is used only to

> protect the secret key (trivial to change) and as the session key in

> mails.  If you keep a large pile of PGP 2 encrypted mails in an

> archive you can write a script to reencrypt them with a non-patented

> algorithm.


Well, it seems that signing and encrypting a message using GnuPG so that PGP2
can decrypt and sig-check it properly, is less trivial...
 http://www.gnupg.org/gph/en/pgp2x.html )


> > Asking to "go fix PGP 2" is pure nonsense. Are you speaking seriously

> > ?

>

> Yes.  It is not much work to hack PGP2 to support CAST5  - however,

> IMO I don't think it is worth the time.


People that trust only PGP2 (for it has been there for long, extensively
reviewed, etc.) would never trust a newly "fixed" version of PGP2 incorporating
CAST5. That's why this suggestion doesn't make sense.


> > RSA and IDEA may be encumbered with patent issues (soon to be solved

> > for RSA), these issues do not make these algorithms "deprecated" nor

> > "obsolete" nor less trustable than DH/DSS or CAST5.

> > Therefore, displaying such messages is a partial choice based on

> > personal opinions and not technical facts.

>

> It is not my personal opinion but the one of the GNU project.

> Please read the GPL to see why we can't distribute any software

> which uses an patented algorithm.


I perfectly understand this issue, and perfectly understand why IDEA cannot be
integrated into the main GnuPG distribution which is under GPL.

Although, this doesn't prevent from making provisions for the easy integration
of an external module that you can easily plug into GnuPG. This is already the
case in Unix, but I read your answer saying in wasn't working in Windows...

And not integrating these algorithms into the main distribution doesn't force
GnuPG to display messages stating these algorithms are "deprecated" or
"obsolete". Maybe just "unsupported" in the corresponding module is not
loaded...

Best regards.

michel@bouissou.net


-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org