Archaic PGP usage
Robert J. Hansen
rjh at sixdemonbag.org
Thu Jul 23 23:13:49 CEST 2015
> I know this list doesn't deal with PGP, but since no else does either
> any more, it seems like the best place to start.
Old versions of PGP were at least FOSS-friendly, if not FOSS themselves,
so it's probably safe to discuss it here. :)
> Do people (other than John Young) still use PGP? Why would someone want
> to do that?
You'd have to ask them. There are some reasons to keep using ancient
versions of PGP, but why these specific people keep using ancient PGP is
really a question for them and not this list.
1. PGP 2.6 is *small*. The original PGP specification (RFC1991) is a
small fraction of the size of the modern OpenPGP specification
(RFC4880). When it comes to trustworthy code, small is beautiful.
2. PGP 2.6 is extremely well-audited. GnuPG and Symantec's PGP are
both moving targets, but PGP 2.6 really hasn't changed in about 20
years. That gives a lot of confidence that its major bugs have been
3. PGP 2.6 is "good enough crypto". Modern OpenPGP adds a ton more
capabilities, but for many users PGP 2.6 offers them just enough to do
what they need. The small-is-beautiful camp tends to have a lot of
overlap with the good-enough-crypto camp.
... All this being said, do I recommend PGP 2.6? Absolutely not: its
dependency on MD5 alone should disqualify it. But that doesn't mean I
don't understand some of the motivations of the people who keep using it.
More information about the Gnupg-users