some(!) PGP / GPG compatibility question
Tue May 21 18:38:15 2002
-----BEGIN PGP SIGNED MESSAGE-----
Aditya firstname.lastname@example.org wrote:
> I created a new pgp 7.1 key with the following parameters
> key type : RSA [*NOT* legacy],
> key size : 4096,
> key chipper: AES
> now when I import this key in GPG in Linux or Solaris I cannot see my name
> or any other key details and mutt on linux shows a ? besides my id in the
there is bug in PGP 7 that it uses old style checksum (or something) on RSA v4 key :/
(I may be wrong)
> I think this means the new PGP / GPG keys are not compatible
> So my questions are
> 1. what are the safe parameters for a key to be compatible with PGP and GPG ?
> I have come with the following parameters
> key type : DH/DSS
> key size : 4096/1024
> key chipper : IDEA
do not use (only) IDEA with DH keys - if you do it will be incompatible with GPG.
IDEA is needed for compatiblity with PGP 2.6, but DH/DSS keys
are incompatible with 2.6 anyway,
> I would like to use the same key for GPG on linux and PGP for windows
> and the key should be compatiable with most of pgp / gpg implementations
> 2. I read in bugtrap mailing list key size smaller that 1024 can be cracked by NSA,
> FBI and likes so is the above key safe from this type of attack ?
> 3. my private key has a sub key that is 786 bytes in length.
> Will this key allow all the data encrypted with my other key
> to be cracked ( other keys are 4096 and 2048 bits long ) ?
PGP normally encrypts to newest subkey.
786 bit (not byte ;-) ) subkey probably is the oldest one,
but it may be good idea to revoke this subkey anyway.
> 4. I seached google and saw some rumblings on the web about the DH/DSS algo being less secure than RSA.
> Would this matter in the generation of new key ( ie I should not generate a DH/DSS type of key ) ?
> 5. which key servers are the most reliable for use with pgp / gpg ? ( the original keyservers in PGP seem to be unstable )
pgp.surfnet.nl (alias wwwkeys.nl.pgp.net, keys.pgpi.net)
blackhole.pca.dfn.de (alias wwwkeys.de.pgp.net)
> 6. if I generate a new key what is the best way to let the people that I have generated a new key
> and that they should stop using the old key ( of course I will revoke it if required ) ?
> should I sign my new key with the old key for this and put the key on a public keyserver or
> should I not revoke the old key but instead change the name in the old key to reflect the
> new keys ID and fingerprint and urging them to use the new key ?
> (ie change the name in old key to something like
> please use new key KeyID: 0xXXXXXXXX, Fingerprint : XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX)
you can do all of this,
of course add name, and sign new key before you revoke - PGP will not
allow to add name to revooked key and sign with revoked key.
you can also sign this name with new key.
> 7. I am using pgp 7.1 which has the ability to use X.509 Certs. Until now I
> used a X.509 cert and PGP Key for secure email and VPN and Encrypting file
> system in Win2k. is there a way to consolidate both of them to one key /
> cert that can be used in secure email, VPN and encrypting file system and
> still have the multiple names the way new RSA or DH/DSS keys have ? ( any
> ideas that u may have will be helpful, we use our own X.509 root Cert for
> internal certs )
> 8. is the encrypt to self option in PGP / GPG a security hole or a feature ?
> can it used to do anything malicious ?
> 9. I have ikey 1000 token. If I wish to put the public/private key on this
> token what is the way to tell pgp 7.1 to use this token ?
> 10. I wish to have a ADK in my key so that if I ever forget my password I
> can use the other key to decrypt the email / files how does one put a ADK in
> the newly generated key ?
with PGP admin, but it's not good idea (IMHO)
there is more chance that you will forgot password for other key,
it's much easer to forget the password that is not frequently used.
but you can write your passphrase to file and encrypt that file to other key.
> 11. is there any good GPG front end for linux ( x windows, Windows 9x,
> 2000 ) like PGP for
> windows for doing the key management ( GPL, BSD any lic will do only that it
> should be free for personal use )
http://disastry.dhs.org/pgp <----PGP plugins for Netscape and MDaemon
^----PGP 2.6.3ia-multi06 (supports IDEA, CAST5, BLOWFISH, TWOFISH,
AES, 3DES ciphers and MD5, SHA1, RIPEMD160, SHA2 hashes)
-----BEGIN PGP SIGNATURE-----
Version: Netscape PGP half-Plugin 0.15 by Disastry / PGPsdk v1.7.1
-----END PGP SIGNATURE-----