Re: pgp 2.6.3i vs pgp5i vs gnupgp
On Mon, 17 Mar 2003, Chad Miller wrote:
> On Mon, Mar 17, 2003 at 02:57:26PM -0600, Drew Scott Daniels wrote:
> > I would like to setup a key to eventually be used for Debian related
> > activities (the kind nm's need). I would like to use an existing version
> > of pgp on a set of solaris systems I have access to, the problem is they
> > have PGP version 2.6.3i. I'm unsure as to whether this is a secure version
> > of PGP and what kinds of bugs it has in it.
>
> I think you'll want to consider using GnuPG. PGP's future is pretty
> uncertain, and it was pretty bleak until extremely recently.
>
> About this Solaris machine, beware that you shouldn't be running anything
> that you want to keep secure on a multi-user machine. Most of us keep
> our keys on machines that are unreachable from the internet. A single
> unpatched Solaris bug could expose your key to the world, and if you're
> able to upload packages to Debian based on that key, then millions of
> people could be affected by your single fsck-up.
>
How about for validation of PGP messages. Is the version on the solaris
system good enough for validation? I've decided to carry a disk around
with my key and have GnuPG on all the various single user machines that I
use. I don't want to have to download messages to validate them instead of
doing it on the remote server, although I do realize the minor, but real
security issues involved in this too.
I've also found useful information at pgpi.org since my last post. It
seems that the IDEA algorithm is not in 2.6.x, but is in 5.0i and some
other versions. I also found pointers to the non-free "free" pgp 8 for
windows (yes, most of "my" single user machines are stuck with windows).
It's license is DFSG non-free to the point at which I'm questioning it's
value over GnuPG. I don't know whether IDEA adds much value yet.
Drew Daniels
Reply to: