Still problems with compatibility
Ryan Malayter
rmalayter@bai.org
Mon Oct 1 07:16:01 2001
>I have still problems with compatibility between GnuPG and PGP
>with encryption+signature. Compatibility is ok with making and verifing
>signatures, but at encryption not. I have made encryption+signature
>with GnuPG 1.0.6 and applied decrypt and verfify it und the error
>has been reported. Ia have created typical key-pairs with GnuPG 1.0.4
>DSA/1024 - public key can be retrieved from key server
>http://sun.lodz.ptkardio.pl:11371
You you need to use the --force-v3-sigs option for GnuPG. Despite claims to
the contrary, NAI's PGP 6.x-7.x are not fully OpenPGP compliant. OpenPGP
secifies v4 signature format as default for all signatures, including
message signatures. NAI PGP seems to supports v4 signatures only for
self-signatures used in key storage and exchange, not for message
signatures.
Section 5.2 of RFC 2440 has details of the differences between the key
formats. Basically, the fingerprint algorithm on v4 signatures is a bit more
secure because it takes the length of the signature into account.
Since all implementations of PGP and OpenPGP accept v3 signatures for
messages, you can use --force-v3-sigs without too much worry.
-ryan-