Still problems with compatibility

Ryan Malayter rmalayter@bai.org
Mon Oct 1 07:16:01 2001



>I have still problems with compatibility between GnuPG and PGP
>with encryption+signature. Compatibility is ok with making and verifing
>signatures, but at encryption not. I have made encryption+signature
>with GnuPG 1.0.6 and applied decrypt and verfify it und the error
>has been reported. Ia have created typical key-pairs with GnuPG 1.0.4
>DSA/1024 - public key can be retrieved from key server
>http://sun.lodz.ptkardio.pl:11371
You you need to use the --force-v3-sigs option for GnuPG. Despite claims to the contrary, NAI's PGP 6.x-7.x are not fully OpenPGP compliant. OpenPGP secifies v4 signature format as default for all signatures, including message signatures. NAI PGP seems to supports v4 signatures only for self-signatures used in key storage and exchange, not for message signatures. Section 5.2 of RFC 2440 has details of the differences between the key formats. Basically, the fingerprint algorithm on v4 signatures is a bit more secure because it takes the length of the signature into account. Since all implementations of PGP and OpenPGP accept v3 signatures for messages, you can use --force-v3-sigs without too much worry. -ryan-