[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: comments on PGP *5*


On 13 Sep 1998, Manoj Srivastava wrote:

> <URL:http://www.shub-internet.org/why_not_pgp_5.html> Thirty-Seven
> Reasons (So Far) Why You Should Wait To Upgrade to, or Use, PGP 5.0:

    That list is severely outdated, and most of the reasons either do
not or no longer apply to PGP 5.0, especially PGP 5.0 for Linux as we
have it here (I don't play with the Windows versions.  It's impossible
to secure anything under Windows anyway.).

    Primary problems with PGP 5.0 relative to 2.6.x:

    1) If you create a DH/DSS key, you will lose interoperability with
       all previous versions.  Do not do this.  Generate only RSA keys.
       There are also other issues related to DH/DSS keys.
    2) The command line interface has changed from 2.6.x, so tools
       designed to automate 2.6.x based signing/whatever will break
       under 5.0 (this includes dpkg-buildpackage, among others).
    3) There are a number of minor bugs dealing with keyring management.
       They're non-critical, and a typical user may never notice them,
       but an advanced user will find them a pain in the ass.
    4) Secure wipe has gone away (IIRC it never worked very well anyway)
    5) The binary for 5.0 is about 3 times larger than for 2.6

    Reasons to install PGP 5:
    1) Older versions cannot verify signatures or decrypt messages made
       by newer versions.
    2) If you use the Debian diffs, PGP 5 can be dropped in next to PGP
       2 without any interference.
    3) Integrated hkp keyserver access.  You can grab keys from
       a server directly into your keyring with PGP 5.  

    Notes for usage:

    1) If you have to use a Windows version above 5.0 (5.5x or 6.0 when
       that comes out) make sure you check your recipient keylist before
       you encrypt.  The system administrator can bind a company key in
       to every encryption request.  That key can be dragged out of the
       recipient box to encrypt to only the designated recipient, but
       there is also a firewall product that checks for the presence of
       that company key and blocks any encrypted messages not using it.
       WARNING: I've been told that if you use the command-line
       interface to the Windows version with an ARR company key enabled,
       it will silently encrypt to both your target and the company key.  
    2) I repeat: generate only RSA keys.  DH/DSS may have some problems,
       and it will cause problems with anyone using 2.6.x.
    3) If you end up with a Windows PGP that doesn't allow generation of
       RSA keys, you can use the Linux version to generate a key, and
       then import it.  This may also bypass the Additional Recipient
       Request key addition, but I've never tested it.
 Zed Pobre <zed@va.debian.org> | PGP key on servers, fingerprint on finger
* This message signed with PGP 5.0.  You can verify with 2.6.x, though.

Version: 5.0
Charset: noconv


Reply to: