PGP & GPG compatibility

Len Sassaman rabbi at quickie.net
Mon Jan 21 19:18:14 EST 2002 

On Sun, 20 Jan 2002, John Gilmore wrote:

> These days, PGP is effectively useless for interoperable email.  If
> you have not prearranged with the recipient, you can't exchange
> encrypted mail.  And even if you have, one or the other of you will
> probably have to change your software, which will produce other ripple
> effects if you are trying to talk to TWO different people or groups
> using encrypted email.

Really, interoperability is not that bad. Aside from some rather obscure
nits between implementations, every PGP implementation pretty much talks
to every other one without any major problems.

The biggest compatability barriers are PGP 2.6 users' inability to encrypt
to v4 (the newer OpenPGP) keys, and GnuPG's lack of the IDEA algorithm.

The former is solved either by PGP 2.6 users upgrading their PGP software
to one that understands v4 keys (note that this doesn't mean they need to
give up their older v3 (PGP 2.6-style) keys), or the other user generating
a v3 key for use with 2.6 users. I use PGP on a regular basis for a large
portion of my email, and rarely have I encountered this problem. Whenever
this discussion comes up, someone inevitably insists that PGP 2.6 is in
widespread use and PGP as a whole is flawed because 2.6 can't encrypt to
the newer keys, but I just don't see this as a reality.

The second problem is a less severe extension of the first problem, and
used to be easily correctable by dropping in an IDEA algorithm module
(which, unfortunately, seems to no longer exist on the GnuGP website). The
Lack of IDEA in GnuPG makes it less friendly to those wishing to upgrade
from PGP 2.6 or communicate with PGP 2.6 users, but again, this isn't
noticeable by the majority of the users.

The biggest problem with PGP is not an interoperability issue, but a UI
issue. A secure email system should appeal to the casual user, and also be
easily deployed by the casual user. Most email users don't understand how
signatures work, why public key crypto really does, what signing keys and
checking fingerprints are for, etc. Even if all versions of PGP had been
designed perfectly the first time, interoperated with each other
flawlessly, and had no bugs appear in them ever, this problem would still
exist. PGP intentionally sacrifices usability for security.



--Len.






---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list