[7634] in cryptography@c2.net mail archive
Re: RSA expiry commemorative version of PGP?
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Fri Aug 4 17:35:58 2000
Mime-Version: 1.0
Message-Id: <v04210100b5afc717aa14@[24.218.56.92]>
In-Reply-To: <sjm66pi6rsc.fsf@rcn.ihtfp.org>
Date: Thu, 3 Aug 2000 21:22:32 -0400
To: Derek Atkins <warlord@mit.edu>, Frank Tobin <ftobin@uiuc.edu>
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: Adam Back <adam@cypherspace.org>, cryptography@c2.net
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
Content-Transfer-Encoding: quoted-printable
Another reason for PGP 2.x compatibility is that there are a lot of=20
old computers out there that will not run more modern versions. Many=20
of these machines find their way into 3rd-world countries and NGOs=20
where there is a life-and-death need for security.
Also there is a argument that these old machines are significantly=20
more secure than new equipment. The real threat to PGP security is=20
clandestine software that captures and leaks your secret key.=20
Bloatware (30-50 million lines of code in Windows 2000) has made any=20
kind of independent OS security checking nearly impossible. BIOSs=20
and CPU firmware have also grown enormously and offer room for all=20
sorts of mischief. An old 68000 Mac or 8086 PC with no hard drive is=20
a lot more trustworthy in my opinion, and can make a very effective=20
crypto box.
Arnold Reinhold
At 3:58 PM -0400 8/3/2000, Derek Atkins wrote:
>The problem is not necessarily in getting users of PGP 2.x to upgrade.
>That will happen on its own. The problem is that users of PGP 2.x
>have old keys and, worse, old DATA that is encrypted and signed in the
>PGP 2.x formats using the PGP 2.x algorithms.
>
>The point is not to be able to create new messages that older
>implementation can read (although I certainly wouldn't complain if
>that actually happened). Rather, the point is to be able to access
>all that old, encrypted data. I still use PGP 2.6 because I have
>years worth of data encrypted and signed using PGP 2.6 formats, and I
>don't want to lose the information. Some of the information is signed
>by OTHER people, so just decrypting and re-encrypting isn't
>sufficient.
>
>-derek
>
>Frank Tobin <ftobin@uiuc.edu> writes:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Adam Back, at 12:01 -0400 on Thu, 3 Aug 2000, wrote:
>>
>> > I beg to differ. The fastest way to get people to upgrade is if the
>> > new version works with the old version. There are still many pgp2.x
>> > users who don't upgrade because they then lose the ability to
>> > communicate with other 2.x users.
>>
>> > Your proposal just perpetuates the problem.
>>
>> My proposal is realistic in the face that RFC 2440 is the standard to
>> follow. One problem that people face today is that they still only think
>> there are 3 real classes of PGP implementations out there; PGP 2.x, PGP
>> 5.x and above, and GnuPG. However, as more and more implementations
>> arise, the need for RFC 1990 users to abandon their implementations will
>> become more obvious.
>>
>> People also think that the only difference between 2.x and OpenPGP
>> implementations it the algorithms used. Key formats have changed, the
>> message format has changed, compression algorithms, and a host of other
>> changes. To think that maintaining compatiblity is as simple as plugging
>> in RSA and IDEA is ridiculous.
>>
>> Look at signed messages posted to BugTraq, or other widely-known lists.=
=A0
>> The signatures are all made by OpenPGP-compatible implemenations. I woul=
d
>> argue the pressure should be placed on 2.x users, not blaming PGP Inc. or
>> GnuPG or the rest.
>>
>> > The GNU ethic about not using IDEA, is counterproductive; that just
>> > means more poeple use IDEA, because they can't upgrade because it
>> > won't work if they do.
>>
>> (while this paragraph does not make much sense to me, I'll try to reply)
>> Irregardless, the GNU ethic is about creating and promoting Free(tm)
>> software. Period. Any usage of IDEA would go contrary to it.
>>
>> - --
>> Frank Tobin http://www.uiuc.edu/~ftobin/
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.0.2 (FreeBSD)
>> Comment: pgpenvelope 2.9.0 - http://pgpenvelope.sourceforge.net/
> >
> > iEYEARECAAYFAjmJnGwACgkQVv/RCiYMT6MwsACfbw27PLFXn8hJ/0WmoeMqpDlg
> > be0AmgMLaZ7sCODr8DohZar0/qzJEwQt
> > =3D91f9
> > -----END PGP SIGNATURE-----
> >
> >
>
>--
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH
> warlord@MIT.EDU PGP key available
