Re: RFC: gnupg
-----BEGIN PGP SIGNED MESSAGE-----
On Sun, 5 Jul 1998, Jules Bean wrote:
>I have just read the gnupg web pages, at
>
>http://www.d.shuttle.de/isil/crypt/gnupg.html
>
>and I don't see any showstoppers. Would anyone with more experience using
>gnupg, or cryptography in general, like to check and see if there are any.
There's at least one, and that is the absolute lack of support for
the RSA and IDEA algorithms. Yes, I know they're encumbered. They're
also the only way of communicating with PGP.
My primary key is a 2048-bit RSA key. I can communicate with
people using older PGP versions as well as modern ones (with the
exception of the crippled freeware PGP5 binary), and on top of that, I
understand the mathematics behind RSA and some of the issues involved
in factoring large numbers. I have no clue how DH/DSS works as an
algorithm (I tried reading a paper on it once; it made my head swim),
and at least in the PGP software, the implementation of the key
separation looks a little strange to me (possible an indicator of the
fact that I don't properly understand the implementation of key
separation in general, since it's something of a new concept to me).
As a separate issue, my understanding is that blowfish is a lot newer
than IDEA and hasn't been put through the same kind of testing, and
the same goes for Tiger vs MD5. While this is not an indicator of
weakness in itself, I'd be perfectly happy letting *other* people beta
test this for a few years before I hop on it (and if you try to tell
me that MD5 is broken expect to see a 250k .pdf security bulletin on
the matter show up in your mailbox so you can better inform yourself).
If I'm forced to generate a gpg key to sign packages for Debian,
it'll get generated for signing only (assuming gpg supports that), and
it won't be used for anything but signing packages, and (obviously) it
won't be signed by my main (RSA) key. Hm. Maybe I'll experiment with
key spoofing during the confusion involved in getting all the new keys
in... Nah. I don't have that much free time.
I like free software. Free software is good. However, it has
acquire a certain level of functionality before I'll use it in place
of non-free software that works. Given the choice, I'll still write
code for pgp systems before I'd write it for gpg, because not only
does gpg not support the features I need, but it doesn't intend to for
a number of years thanks to patent restrictions.
>Let's get rid of this piece of non-free, then...
I'm not willing to cut off communication with the rest of the
world, thank you, even if the rest of the world is being inhospitable
by using encumbered encryption algorithms. If you want to implement
gpg package signing next to pgp package signing, be warned that you'll
have to get used to using two different software packages to check the
signature on a package until every package has had at least one update
signed by gpg. I think that's going to be a while.
Also be warned that if you decide to abandon pgp completely, you
aren't going to be able to verify most of the signature that you run
across. Including this one.
=============================================================================
Zed Pobre <zed@va.debian.org> | PGP key on servers, fingerprint on finger
=============================================================================
-----BEGIN PGP SIGNATURE-----
Version: 5.0
Charset: noconv
iQEVAwUBNZ/RU9wPDK/EqFJbAQEYKwgAj+4va0fV4Sp8eM9dmC4RacsbyFv/31D5
+wRzz5P1PyHN1l3/ABdi22OqQ9BdoOK+ZQ7I0zAJ9eMXjUWWITMtVDRFF4btBK1t
V0xk+OX3KdJLAIdJ9EkDIoDiOLfpoo70QB6YFr6B+RFcJJqdAlh3CMXAxHapJfA3
76eEvR9qfEkF/TnGwVKaMnwxuZfOcTQSyfH9KeQFenxZ1vgIe6BLSkGMx0Xyv+Ha
KsnLH1/jkT4SQwb+08tIeoRM3k/XSBDh/+j041G2e4mw84CKX4bHAFjEbB3Yds7L
L68VPHE/JzbdR4iSMHFwqXf9BAOWgT7U58Agt8tE6PPIOdukDkKgRA==
=IBPq
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to:
- References:
- RFC: gnupg
- From: "Jules Bean" <jules@jellybean.co.uk>