To upgrade or not?

Leigh S. Jones, KR6X kr6x@kr6x.com
Mon Jun 3 19:45:01 2002


Many of the development team are likely to disagree
with me.  I personally feel that the most compelling reason
to upgrade to 1.0.7 is the improved security of the
secret keyring file.  Secret keyrings that might be edited
by an attacker and replaced are most at risk -- in other
words the keyrings found on Windows computers are at
greatest risk, while UNIX/Linux computers are slightly
safer (but nonetheless are at risk).  

The risk is the possible addition of an additional 
decryption key to your secret key without your knowledge, 
and the solution is a higher security checksum algorithm 
that is used by default on 1.0.7.  The new checksum 
algorithm unfortunately makes the process of exporting 
secret keys to another keyring (to PGP or to earlier 
implementations of gpg) slightly more complicated, but 
it's worth the effort.

The new version also implements a method for editing
your personal key to set algorithm preferences.  In earlier
releases this had to be done by editing the gpg source 
code and recompiling.
 
----- Original Message ----- 
From: "R. Bradley Tilley" <rtilley@vt.edu>
To: <gnupg-users@gnupg.org>
Sent: Monday, June 03, 2002 10:29
Subject: To upgrade or not?


> Hello GNU loving guys and gals!
> 
> I have been using gpg 1.06 for a long time now (> a year) and have been
> very satisfied with it. I use it with gpa because I like the GUI.
> Mostly, I encrypt files that are stored on my hard drive. However, I do
> occasionally use gpg for email encryption with kmail and Evolution.
> 
> Here's my question:
> 
> Is it worthwhile to upgrade to 1.07? What would I gain, or perhaps loose
> by upgrading? I run RedHat Linux.
> 
> -- 
> Thank you,
> Brad
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>