Migrating from PGP to GPG question

Robert J. Hansen rjh at sixdemonbag.org
Wed Mar 3 05:00:24 CET 2010


> What are the ramifications of just saying "yes" to the prompt - update preferences?  How potentially serious is the algorithm mismatch?  I'd like to better understand exactly what is happening.

Ever since the very early days, PGP has supported a cryptographic algorithm called IDEA.  Back in the early '90s IDEA was considered a strong, promising cipher.  Time has not been kind to it.  The current judgment of IDEA is that it is strong *enough*, but not really strong, and it is not considered especially promising.  It is also subject to software patents.  For these reasons, the current revision of the OpenPGP specification does not require or recommend that implementations support IDEA.

(The OpenPGP *specification* is not the same thing as PGP or GnuPG, which are *implementations* -- in the same way that Outlook and Thunderbird *implement* email protocols, but those protocols are *specified* in other places.)

Anyway.  By default, GnuPG does not support IDEA.  PGP does, mostly because they still have customers who need it.  Different strokes for different folks.

What GnuPG is warning you about is, "your current key says that other people can use IDEA when sending you encrypted email.  I can't read IDEA.  This will be a problem if anyone sends you IDEA-encrypted traffic.  Would you like for me to change your key so that other people can know not to send you IDEA traffic?"

I'm hedging my bets a little bit, since I don't know enough about your specific needs to speak with certainty.  That said, I believe it is safe for you to answer "yes" here.




More information about the Gnupg-users mailing list