Detecting PGP 2.6.x keys

David Shaw dshaw at jabberwocky.com
Thu Sep 16 17:50:13 CEST 2004 

On Fri, Sep 10, 2004 at 09:15:26AM -0500, Aleksandar Milivojevic wrote:
> I'm writing a shell script wrapper around gpg.  I need a way to detect
> if the recipient's public key was generated by PGP 2.6.x so that I can
> use appropriate options (in order for the recipient to be able to
> decrypt the message).
> 
> I know that gpg is able to detect this type of key internally (for
> example showpref run on such a key will result in appropriate error
> message).  But there doesn't seem to be any option for listing the
> keys that will include in the output that this is old PGP 2.6.x key.
> I've tryied using --with-key-data, but there doesn't seem to be
> documentation on output format, and the parts that I managed to
> decode what they could be are not usefull for this purpose...

There is no way to see the version of a key directly.  You can infer
some information by noting that the V3 keys are sign+encrypt RSA,
which is uncommon in the V4 world, but that doesn't guarantee a V3
key.

Even so, this is a can of worms: there are V3 keys with V4 signatures,
or V4 self-signatures.  Those are likely being used on a modern
OpenPGP application, so beware using PGP 2.x parameters which might
make the message not readable.

> BTW, it would be nice if gpg was able to handle this automatically
> (when PGP 2.6.x style public key is detected, just use appropriate
> cipher (if IDEA is available), hash, and compression, printing
> appropriate warning message or such).  Something like newer versions
> of PGP are doing.  New stuff is great (OpenPGP, new standards, open
> source, patent free software and such).  Backward compatibility
> without having to use mile long command line options is even better
> ;-)

"--pgp2" is hardly a mile long.

Perfect backwards compatibility is not possible since a PGP 2.x key
doesn't mean that the user is using PGP 2.x.  It just means they
generated their keys a long time ago.  Forcing PGP 2.x options for a
mix of keys (old & new) can cause the owner of new key to not be able
to decrypt the message.  GnuPG tries to be compatible with the old PGP
2.x stuff, but never at the cost of hurting compatibiltity with the
current stuff.

Right about now is usually when I get a lot of email complaining about
this comment, and how PGP 2 is the only good version, etc, etc, etc.
People seem to get *really* angry on this topic.

At the risk of enflaming passions, note that OpenPGP is hardly "new"
any longer.  V4 keys date from 1997, and are over 90% of the keys on
the keyservers.  If you take into account keys that are actually used,
as opposed to old forgotten keys, then I suspect the percentage of
OpenPGP keys would be even higher.

David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 251 bytes
Desc: not available
Url : /pipermail/attachments/20040916/f14df515/attachment.bin

More information about the Gnupg-users mailing list