[Announce] GnuPG 2.1.0 "modern" released

[Werner Koch]

On Thu,  6 Nov 2014 15:01, mcr at sandelman.ca said:
> Werner Koch <wk at gnupg.org> wrote:
>     >   - All support for PGP-2 keys has been removed for security reasons.
>
> Does this mean that documents signed decades ago with PGP2 can no longer
> be verified?

Right.  It is anyway useless because you have to assume that such
signatures are broken.  If you want to decrypt you should have 1.4
versions somewhere.  See the whats-new-in-2.1 article:

1.2 Removal of PGP-2 support
────────────────────────────

  Some algorithms and parts of the protocols as used by the 20 years old
  [PGP-2] software are meanwhile considered unsafe.  In particular the
  baked in use of the [MD5] hash algorithm limits the security of PGP-2
  keys to non-acceptable rate.  Technically those PGP-2 keys are called
  version 3 keys (v3) and are easily identified by a shorter fingerprint
  which is commonly presented as 16 separate double hex digits.

  With GnuPG 2.1 all support for those keys has gone.  If they are in an
  existing keyring they will eventually be removed.  If GnuPG encounters
  such a key on import it will not be imported due to the not anymore
  implemented v3 key format.  Removing the v3 key support also reduces
  complexity of the code and is thus better than to keep on handling
  them with a specific error message.

  There is one use case where PGP-2 keys may still be required: For
  existing encrypted data.  We suggest to keep a version of GnuPG 1.4
  around which still has support for these keys (it might be required to
  use the `--allow-weak-digest-algos' option).  A better solution is to
  re-encrypt the data using a modern key.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.