Rare condition incompatibility of public key

David Shaw dshaw at jabberwocky.com
Mon Dec 1 06:23:27 CET 2008

On Nov 30, 2008, at 11:40 PM, Robert J. Hansen wrote:

> Myckel Habets wrote:
>> The person who said to me that the key validates as bad uses the  
>> PGPkeys
>> program from the PGP corporation software (version 6.58, last version
>> that was released when Phil Zimmerman worked there, he doesn't trust
>> later versions) to do the validation.
> This is factually untrue.
> Phil Z. left PGP Security, a branch of Network Associates, in early
> 2001.  This would've been just after the PGP 7.1 release.  Phil  
> himself
> has sworn to the solidness of the PGP 7.0 and 7.1 releases.  Despite
> there being no source release, most people -- myself included --
> consider Phil's word to be good.
> Network Associates shut down PGP Security in early 2001.  PGP
> Corporation was formed as a completely separate business entity which
> purchased the desktop PGP products from Network Associates.  Most of  
> the
> key players from PGP Security came on board at the new PGP  
> Corporation.
> Phil Z. has officially left PGP Corporation to pursue other interests,
> if memory serves.  This doesn't surprise me in the least.  After a
> decade and a half at the same job, he's entitled to do other  
> things.  As
> of late, secure internet telephony has been his object of interest.
> That said, Phil is still in close contact with many of the principal
> people at PGP Corporation.
>> 1) What is causing this problem? Is my key really bad or is this an
>> incompatibility between PGPkeys version 6.58 and GPG?
> Toyota has a philosophy that when investigating failures, one should  
> ask
> "why?" multiple times.
> Q.  Why is this failure occurring?
> A.  Your friend is using an antique version of PGP.
> Q.  Why is your friend using an antique version of PGP?
> A.  Your friend doesn't trust versions Phil hasn't worked on.
> Q.  Why does your friend mistakenly think Phil hasn't worked on
>    7.0 and later versions?
> A.  ... I don't know.  You may want to look into this.
> As far as engineering maxims go, the Toyota school of thought is  
> pretty
> good.  Find the deepest level of failure and fix that, rather than
> fixing superficial problems.

I think that last question is irrelevant, as it follows from the  
"doesn't trust versions that Phil hasn't worked on", which makes it  
derived from a false premise.  It does not matter whether Phil has  
worked on 7.0 and later, or indeed any version of PGP, because Phil  
being involved does not ipso facto cause PGP to be good (for whatever  
value of "good" you like).  If the equation is "Phil involved == good  
PGP", and "Phil not involved == bad PGP" then the battle for making  
intelligent decisions about PGP has been lost from the start.  Phil is  
a good guy, and he did start something huge, but his involvement is  
not magic pixie dust that causes crypto goodness to spring into being.

> Other people have suggested convincing your friend to use a more  
> recent
> version of PGP, or a recent version of GnuPG.  It's good advice, as  
> far
> as it goes.  I think the problem goes deeper than that, however.

I think it does as well.  Once upon a time, I spent a lot of hours  
coding various workarounds in GnuPG for old versions of PGP.  This is  
where the --pgp2, --pgp6, --pgp7, etc, flags in GnuPG came from.  Now,  
years later, I sometimes wonder if I made a mistake.  Perhaps it would  
have been wiser to bite the bullet and let these things break.


More information about the Gnupg-users mailing list