PGP & GPG compatibility

Will Price wprice at cyphers.net
Tue Jan 15 20:25:15 EST 2002 

Werner Koch wrote:
> According to the bug reports I receive for GnuPG, it seems that
> even the latest versions of PGP (7.0.3?) are still not OpenPGP
> compatible.  

No, the latest version for Win32 is 7.1.1, and for MacOS 9 it is
7.1.0. I think it should be pointed out what a loaded statement the
above is as well. That's like saying, "have you stopped beating your
wife?" I would encourage some objectivity on that.

> At least they still don't understand version 4 signatures on data
> packets (only on keys).  I had in mind that this was fixed some
> time ago, but obviously this isn't the case.

I'm fairly sure we support that in 7.1.0 and up.

> There is a problem wrt text mode signatures: [..]

That's not the only problem with text mode signatures. International
characters present an even larger challenge. Most of this is not
PGP/GPG's problem technically. The plethora of mail clients out there
don't handle it well either. Going forward, UTF8 migration is likely
to cause some growing pains for everybody.

> Interoperability tests should have happened last summer but for
> unknown reasons they didn't.  It is very sad to see that after 3
> years we have not achieved to get OpenPGP into draft status :-(.

It is a mystery to us as well what happened with that... We were
ready to proceed, but we were not the organizer so it was out of our
hands.

Derek Atkins wrote:
> Is there even development on the PGP (product) line?

Well, yes, but see:

	http://www.pgp.com/other/jump/customer-faq.asp

The products you know as "PGP" are in a "maintenance mode" "until a
transition agreement is developed with a purchasing vendor". So, we
currently are in the process of working through that. We just
released PGP 7.1.1 last week, so development does continue in the
meantime.

> AFAIK they (NAI) have not release PGP 7.x in source form.

Not true. See:

	http://www.pgp.com/downloads/pgpsdk-agreement.asp

The SDK (which still includes little bits of your code Derek, and all
other crypto/network/passphrase and even all the UI code which
interacts with the crypto related code) has been published up through
7.1.1. The Windows GUI was last published at 6.5.8.

> Worse, there are a couple of bugs I found in 6.5.8 when
> I was porting it to Tru64, but who knows if anyone is
> listening over at NAI.

I don't know who you sent these to. You could always have sent diffs
directly to me to make sure they get handled. The official address
for these things remains peerreview at pgp.com. I am on that list so you
couldn't have sent it to that one either since I haven't seen any
diffs from you ever as far as I can recall.

> I think people used to get better support when I personally
> answered pgp-bugs at mit.edu.  I stopped providing that service due to
> lack of time, and I'm afraid that PGP support went out the window. 
> From my perspective, NAI never provided any support for PGP -- even
> when I submitting patches, they would ignore them.

It's always nice to find people willing and able to provide support
for free. In the real world, that rarely happens even for free
products (Cygnus, etc.). Outside firms have rated our PGP support 6.3
out of 7 based on customer surveys. Mind you, the people surveyed are
the people who pay for the software. Our support really is quite good
for enterprise customers, but admittedly can be considered weak or
non-existent for freeware users. Without a support contract, I can
see how some people could find PGP support frustrating. Many of our
developers lurk in PGP newsgroups/mailing lists though and regularly
help users out there on an informal basis.

A few weeks ago, I spent over $30 on a support call to Intuit. I was
incensed! I almost paid more to ask them why it doesn't work than I
did to buy their product. On the other hand, I don't see how else
they could do it and still make money. I don't really see any great
solutions to mass consumer tech support, and frankly there isn't much
of a paying market among consumers anyway. So, I applaud all those
who offer free support, I do it myself quite often, but there's only
so much time in a day.

Side note, this may all be a moot point if a "transition agreement
with a purchasing vendor" is not worked out RSN.

-- Will

Will Price, Director of Engineering
PGP Security, Inc.
a division of Network Associates, Inc.





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list