Detecting PGP 2.6.x keys

Aleksandar Milivojevic amilivojevic at pbl.ca
Fri Sep 17 18:54:12 CEST 2004 

David Shaw wrote:
> Why should he?  In most of the world he can't even use IDEA legally
> without a licence.  This isn't his problem (over 90% of the userbase).
> This is user A's problem (less than 10% of the userbase).

My previous reply was kind of joke (to put a bit of humor into the 
discussion).

However on the serious side, even if 90/10% figures are correct (let 
assume they are for the sake of discussion), percentage of users that 
have problem and might have use of such an option is higher.

Since the option would be needed by users not using 2.x (as you named 
them "modern users"), statistically on average anybody who has 10 public 
keys (from 10 correspondents) on his keyring, should have one 2.x style 
key (one correspondent who belongs to "non-modern users").  Which means 
that (statistically) fair amount of those 90% modern users, will have at 
least one correspondent that belongs to 10% group, and his life would be 
much easier with such an option (having not to have to think should he 
just encrypt, or should he use special options to encrypt, it would just 
be done automatically for him, like in PGP 7.x or whatever is current 
version).

Of course this is just my (biased) opinion, and if I'm the only one who 
thinks this way, its fine by me.

> In any event, this is not a useful suggestion.  When working on GnuPG,
> I have to follow the OpenPGP standard.  There is absolutely no
> requirement in OpenPGP that a client supports IDEA, and therefore I
> cannot assume that a client supports it either.

It also says that implementation can support IDEA.  So there's no 
requirement not to support it, or to assume that client doesn't support 
it if there are hints that it might support it.  Something like approach 
commercial PGP took.  But OK, GnuPG supports it by the means of an 
add-on module, so this is a bit of no relevance.  I guess one day IDEA 
petent expires, it will become standard part of GnuPG (just like it 
happened with RSA).

One additional argument might be that vast majority of people that are 
still using PGP 2.x generated keys, are using them to be able to 
communicate with people who still use PGP 2.x binaries.  In which case 
they must have IDEA module for GnuPG installed.  I've never revoked my 
PGP 2.x key because of this reason, but I prefer if people use my new V4 
key.

I would guess (and would be suprised if I'm wrong) that vast majority of 
people who don't have need for this backward compatibility with PGP 2.x 
have already generated (and are using) new V4 keys.  If nothing else, 
they created new keys because back in 2.x days 768 bit was considered 
commercial grade, and 1024 was considered military grade, and (some) 
people were looking at folks using 2048 bit keys as they look today on 
those using 4096 bit keys.  And remember, one of the menu options was 
512 bit key (nobody is using those anymore, hopefully).  They probably 
wouldn't mind if little inconvinience would force their correspondents 
to finally start using newer keys ;-)

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

More information about the Gnupg-users mailing list