Detecting PGP 2.6.x keys
David Shaw
dshaw at jabberwocky.com
Thu Sep 16 21:30:34 CEST 2004
On Thu, Sep 16, 2004 at 01:49:58PM -0500, Aleksandar Milivojevic wrote:
> David Shaw wrote:
> >Although, I should add that if you really want to see a key version,
> >you can do 'gpg --export key | gpg --list-packets' and pipe that
> >through something to parse out the key version. That's not a
> >supported interface though, and may change in the future.
>
> Thanks for your help. I believe that this will be usable for what I
> need it (althoug it would be nice if there was a more direct way of
> doing it). I'll just parse the output searching for "version 2, algo 1"
> lines.
>
> For what I need it, I can assure that everybody with PGP 2.6 style key
> is actually using PGP 2.6. Anyhow, even in general case, if somebody is
> using PGP 2.6 style key, than he probably has idea code compiled in or
> as a module. Otherwise, he would loose access to all his previously
> encrypted data.
It's not just that the person with the PGP 2.x key must have IDEA -
it's that people with OpenPGP might not. Take this case: User A has a
PGP 2.x key. User B has an OpenPGP key. In an effort to accomodate
user A, you encrypt using IDEA. However, user B does not have IDEA.
By trying to be backwards compatible with user A, you accomplish
locking out the modern user B. The only really safe way to handle PGP
2.x users is to encrypt twice - once for the PGP 2.x people, and once
for everyone else.
> BTW, completely off topic. When somebody migrates from PGP 2.x to say
> GnuPG, can he migrate his old RSA key and signatures into new V4 format
> (effectively getting V4 key that has same key data as his old key)? Or
> the only way is to create new V4 key, get all people to sign it again,
> and so on...
Yes and no. Yes, you can convert a V3 key to a V4 one, and such a key
would be mathematically able to decrypt the messages sent to, and
verify sigs from, the old V3 key. However, the key ID of the new key
would be different, which makes this somewhat pointless since in
practical terms, the encryption program would not know to use the new
key. Plus, signatures on the old V3 key would not transfer to the new
V4 key. There is really no benefit in converting a key this way.
It is also possible to convert an old V3 key into a subkey on a V4
key. This is somewhat less pointless, but still not that useful in
practice.
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 251 bytes
Desc: not available
Url : /pipermail/attachments/20040916/e05d48bb/attachment.bin
More information about the Gnupg-users
mailing list