question - Gnupg compatibility with Symantec

Ángel angel at pgp.16bits.net
Wed Mar 10 02:23:45 CET 2021 

On 2021-03-08 at 15:57 +0000, Call, Margaret wrote:
> Good morning,
>  
> We would like to migrate our Symantec PGP to GNU PGP..  We tested the
> system last week with new PGP users and a user that migrated to GNU
> from Symantec.  We have fixed all bugs except one:
>  
> Our legacy Symantec users (who have not yet transferred over to GNU)
> are unable to decrypt/read GNU PGP emails. 
>  
> We work on a Windows System with Microsoft Office 16..  The version
> of Outlook is: 16.0.11929.20776
>  
> We downloaded Gpg4win from this webpage: gpg4win.org
>  
> Kleopatra version 3.1.15.0
>  
> Thanks for any insight as to why Symantec users are unable to
> decrypt/read the GNU PGP emails.
>  
> Margaret

Welcome Margaret

Which Symantec PGP version are you using? What kind of keys are they
using? Note that what once was Symantec PGP is now part of Broadcom.

I find the problem a bit peculiar, since you shouldn't be having a
problem at this point. Were the keys of the legacy users originally
generated by Symantec PGP? OpenPGP keys describe their capabilities.
Thus, an older version shouldn't be unable to decrypt the content that
was sent by a newer software. It might be unable to verify the
signature, or to reply back, but it should be able to decrypt what was
written to its key.
Or, if the new version had deprecated some algorithm needed by the old
key, I would expect the problem to surface on encryption, not for
decryption.

Similarly, the old version could have issues encrypting to a key using
newer algorithms (or just to import such key, Symantec PGP will
misleadingly claim there is no key when the error is actually that it
unable to import it for being too new for them).

Another possibility would be some error not at actually decrypting the
emails, but at *detecting* that the emails contain PGP data. I actually
find that more likely. Integration with some mail clients is somewhat
fragile, and moreover, certain servers are prone to helpfully "fix"
PGP/MIME messages by corrupting them.

My recommendation is to begin by testing encryption first, and then
moving to encrypted emails. Encrypt on the GnuPG client with the key of
a legacy user, copy that to their machine and have them attempt to
decrypt it. Similarly, try to encrypt a file and send it back. That
shouldn't be an issue either, assuming the GnuPG user had some
conservative options.
If it works by manually exchanging encrypted files, then the problem
lies at the mail layer, although it's a bit hard to guess if it's a
problem with the client sending the encrypted email, with the client
receiving the email and not decryting it, with a mail server changing
the message... or a mix of those.

Kind regards

More information about the Gnupg-users mailing list