Johan Wevers johanw at
Mon Jun 25 16:18:08 CEST 2012

On 25-06-2012 0:11, Werner Koch wrote:

> A few years later it was obvious that MD5 is broken in practice. I can't
> understand anyone suggesting to use PGP2.  I have heard of people keep
> on using and suggesting >=4k keys but still being bounded to the broken
> MD5 and the flawed PGP public key packet and protection.  This is plain
> stupid.

That depends on your threat model. If signing messages is not so
important to you but encrypting is, this advice is understandable. So
let MD5 be broken, it matters not for encryption. Not that I would
suggest to start using pgp 2 now, but I have no issues using my old pgp
2 key with GnuPG.

> The RNG in PGP2 is also questionable because it has not been designed to
> cope with modern OSes.

Did anyone study the effect this has in using pgp 2 on modern Linux of
windows systems? I have the impression that very serious bugs, like the
one in the RNG for pgp 5 for Unix, will eventually surface anyway.

> Now some claim that PGP 2 is better because it is so easy to audit the
> code.  Okay, that might be the case for the PGP 2 source.  However, who
> is going to audit the libc, WM (note keyboard interrupts!), kernel,
> msvc, gcc or hypervisor code.  That is far more complex than PGP 2.  If
> I had to write malware I would never directly attack PGP or GPG but go
> for other components (D-Bus services anyone?).  Subvert the most
> invisible part of the system and not what script kiddies will do.

This suggests a threat model where your oponent has almost Stuxnet like
capabilities. Since the pgp 2 days we get warnings about adapted
compilers, but I've never seen something like that surfacing. I'm not
saying it is impossible but I doubt it is practically doable on a large

ir. J.C.A. Wevers
PGP/GPG public keys at

More information about the Gnupg-users mailing list