GnuPG and PGP 5.0 compatibility problem

Werner Koch wk at
Thu Jul 26 11:45:33 CEST 2007

On Tue, 17 Jul 2007 18:45, stefan-oltmanns at said:

> I got the latest GnuPG. The bank uses "PGP 5.0 for OS/2", unfortunately 
> I can´t change that.

[ Wow, still a bank using OS/2.  Some years ago I heard that IBM dropped
  OS/2 support for the 4758 and thus required the banks to switch to
  Windows. ]

> Unfortunately I haven´t found out how to remove this from my key, is 
> there a (simple) way to do that?

Keyflags are required for RSA and are in general a very good idea.  If
you want to get rid of them, you need to patch gpg.  Point your editor
to g10/keygen.c and search for the function do_add_key_flags.  Comment
out the last line and compile again.  Then you need to update the
self-signatures of your key: Setting the primary flag or changing the
expire time will do the trick.

> But that doesn´t mean PGP 5 is insecure in any way, it´s just outdated 
> and not RFC2440 conform, right?

The GNU/Linux version is definitly insecure as the RNG has a major flaw.
All keys created with this version and possible all signing keys used
with this versions should be considered compromised.  I have also great
doubts that they are much safer with an OS/2 version.



More information about the Gnupg-users mailing list