[Announce] GnuPG 2.1.0 "modern" released
wk at gnupg.org
Thu Nov 6 17:49:59 CET 2014
On Thu, 6 Nov 2014 15:01, mcr at sandelman.ca said:
> Werner Koch <wk at gnupg.org> wrote:
> > - All support for PGP-2 keys has been removed for security reasons.
> Does this mean that documents signed decades ago with PGP2 can no longer
> be verified?
Right. It is anyway useless because you have to assume that such
signatures are broken. If you want to decrypt you should have 1.4
versions somewhere. See the whats-new-in-2.1 article:
1.2 Removal of PGP-2 support
Some algorithms and parts of the protocols as used by the 20 years old
[PGP-2] software are meanwhile considered unsafe. In particular the
baked in use of the [MD5] hash algorithm limits the security of PGP-2
keys to non-acceptable rate. Technically those PGP-2 keys are called
version 3 keys (v3) and are easily identified by a shorter fingerprint
which is commonly presented as 16 separate double hex digits.
With GnuPG 2.1 all support for those keys has gone. If they are in an
existing keyring they will eventually be removed. If GnuPG encounters
such a key on import it will not be imported due to the not anymore
implemented v3 key format. Removing the v3 key support also reduces
complexity of the code and is thus better than to keep on handling
them with a specific error message.
There is one use case where PGP-2 keys may still be required: For
existing encrypted data. We suggest to keep a version of GnuPG 1.4
around which still has support for these keys (it might be required to
use the `--allow-weak-digest-algos' option). A better solution is to
re-encrypt the data using a modern key.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users