Re: comments on PGP *5*
-----BEGIN PGP SIGNED MESSAGE-----
On 13 Sep 1998, Manoj Srivastava wrote:
> <URL:http://www.shub-internet.org/why_not_pgp_5.html> Thirty-Seven
> Reasons (So Far) Why You Should Wait To Upgrade to, or Use, PGP 5.0:
That list is severely outdated, and most of the reasons either do
not or no longer apply to PGP 5.0, especially PGP 5.0 for Linux as we
have it here (I don't play with the Windows versions. It's impossible
to secure anything under Windows anyway.).
Primary problems with PGP 5.0 relative to 2.6.x:
1) If you create a DH/DSS key, you will lose interoperability with
all previous versions. Do not do this. Generate only RSA keys.
There are also other issues related to DH/DSS keys.
2) The command line interface has changed from 2.6.x, so tools
designed to automate 2.6.x based signing/whatever will break
under 5.0 (this includes dpkg-buildpackage, among others).
3) There are a number of minor bugs dealing with keyring management.
They're non-critical, and a typical user may never notice them,
but an advanced user will find them a pain in the ass.
4) Secure wipe has gone away (IIRC it never worked very well anyway)
5) The binary for 5.0 is about 3 times larger than for 2.6
Reasons to install PGP 5:
1) Older versions cannot verify signatures or decrypt messages made
by newer versions.
2) If you use the Debian diffs, PGP 5 can be dropped in next to PGP
2 without any interference.
3) Integrated hkp keyserver access. You can grab keys from
a server directly into your keyring with PGP 5.
Notes for usage:
1) If you have to use a Windows version above 5.0 (5.5x or 6.0 when
that comes out) make sure you check your recipient keylist before
you encrypt. The system administrator can bind a company key in
to every encryption request. That key can be dragged out of the
recipient box to encrypt to only the designated recipient, but
there is also a firewall product that checks for the presence of
that company key and blocks any encrypted messages not using it.
WARNING: I've been told that if you use the command-line
interface to the Windows version with an ARR company key enabled,
it will silently encrypt to both your target and the company key.
2) I repeat: generate only RSA keys. DH/DSS may have some problems,
and it will cause problems with anyone using 2.6.x.
3) If you end up with a Windows PGP that doesn't allow generation of
RSA keys, you can use the Linux version to generate a key, and
then import it. This may also bypass the Additional Recipient
Request key addition, but I've never tested it.
Zed Pobre <firstname.lastname@example.org> | PGP key on servers, fingerprint on finger
* This message signed with PGP 5.0. You can verify with 2.6.x, though.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----