Detecting PGP 2.6.x keys

[Johan Wevers]

David Shaw wrote:

>Why should he?  In most of the world he can't even use IDEA legally
>without a licence.

In most cases use will be non-commercial so there shouldn't be a problem.
In other cases I wouldn't care. I've never heard of Ascom-Tech suing
anyone for breach of the IDEA patent.

>This isn't his problem (over 90% of the userbase).
>This is user A's problem (less than 10% of the userbase).

You wrote these 90-10% numbers come from counting keys on a keyserver.
But I disagree with your assesment of the number of abandoned keys:
considering the use of pgp 2.x among people who are more knowledgeable
about encryption, I think there are relatively less abandoned keys among
those 10% than among the 90% v3 keys. Especially among the keys created
with all default parameters among those 90%.

>In any event, this is not a useful suggestion.  When working on GnuPG,
>I have to follow the OpenPGP standard.

But that doesn't prevent decrypting pgp 2.x messages. And I hope it stays
that way (since you fixed the error in 1.3.6 I hope it still is).

>There is absolutely no requirement in OpenPGP that a client supports IDEA,
>and therefore I cannot assume that a client supports it either.

That is a very formal way of reasoning. Anything except 3DES is not
required, but that doesn't mean it can't be used. Now, if I were
advertising some obscure module noone uses except for testing (like the
Skipjack module), I would agree. But not in this case. IDEA is too much
used in the field to be simply ignored (and the GnuPG developers do
acknowledge that, otherwise there wouldn't be an IDEA module and all
this discussion).

-- 
ir. J.C.A. Wevers         //  Physics and science fiction site:
johanw at vulcan.xs4all.nl   //  http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html