Another reason for PGP 2.x compatibility is that there are a lot of
old computers out there that will not run more modern versions. Many
of these machines find their way into 3rd-world countries and NGOs
where there is a life-and-death need for security.
Also there is a argument that these old machines are significantly
more secure than new equipment. The real threat to PGP security is
clandestine software that captures and leaks your secret key.
Bloatware (30-50 million lines of code in Windows 2000) has made any
kind of independent OS security checking nearly impossible. BIOSs
and CPU firmware have also grown enormously and offer room for all
sorts of mischief. An old 68000 Mac or 8086 PC with no hard drive is
a lot more trustworthy in my opinion, and can make a very effective
crypto box.
Arnold Reinhold
At 3:58 PM -0400 8/3/2000, Derek Atkins wrote:
>The problem is not necessarily in getting users of PGP 2.x to upgrade.
>That will happen on its own. The problem is that users of PGP 2.x
>have old keys and, worse, old DATA that is encrypted and signed in the
>PGP 2.x formats using the PGP 2.x algorithms.
>
>The point is not to be able to create new messages that older
>implementation can read (although I certainly wouldn't complain if
>that actually happened). Rather, the point is to be able to access
>all that old, encrypted data. I still use PGP 2.6 because I have
>years worth of data encrypted and signed using PGP 2.6 formats, and I
>don't want to lose the information. Some of the information is signed
>by OTHER people, so just decrypting and re-encrypting isn't
>sufficient.
>
>-derek
>
>Frank Tobin <[EMAIL PROTECTED]> writes:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Adam Back, at 12:01 -0400 on Thu, 3 Aug 2000, wrote:
>>
>> > I beg to differ. The fastest way to get people to upgrade is if the
>> > new version works with the old version. There are still many pgp2.x
>> > users who don't upgrade because they then lose the ability to
>> > communicate with other 2.x users.
>>
>> > Your proposal just perpetuates the problem.
>>
>> My proposal is realistic in the face that RFC 2440 is the standard to
>> follow. One problem that people face today is that they still only think
>> there are 3 real classes of PGP implementations out there; PGP 2.x, PGP
>> 5.x and above, and GnuPG. However, as more and more implementations
>> arise, the need for RFC 1990 users to abandon their implementations will
>> become more obvious.
>>
>> People also think that the only difference between 2.x and OpenPGP
>> implementations it the algorithms used. Key formats have changed, the
>> message format has changed, compression algorithms, and a host of other
>> changes. To think that maintaining compatiblity is as simple as plugging
>> in RSA and IDEA is ridiculous.
>>
>> Look at signed messages posted to BugTraq, or other widely-known lists.
>> The signatures are all made by OpenPGP-compatible implemenations. I would
>> argue the pressure should be placed on 2.x users, not blaming PGP Inc. or
>> GnuPG or the rest.
>>
>> > The GNU ethic about not using IDEA, is counterproductive; that just
>> > means more poeple use IDEA, because they can't upgrade because it
>> > won't work if they do.
>>
>> (while this paragraph does not make much sense to me, I'll try to reply)
>> Irregardless, the GNU ethic is about creating and promoting Free(tm)
>> software. Period. Any usage of IDEA would go contrary to it.
>>
>> - --
>> Frank Tobin http://www.uiuc.edu/~ftobin/
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.0.2 (FreeBSD)
>> Comment: pgpenvelope 2.9.0 - http://pgpenvelope.sourceforge.net/
> >
> > iEYEARECAAYFAjmJnGwACgkQVv/RCiYMT6MwsACfbw27PLFXn8hJ/0WmoeMqpDlg
> > be0AmgMLaZ7sCODr8DohZar0/qzJEwQt
> > =91f9
> > -----END PGP SIGNATURE-----
> >
> >
>
>--
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH
> [EMAIL PROTECTED] PGP key available
