On Thu, 6 Nov 2014 15:01, m...@sandelman.ca said: > Werner Koch <w...@gnupg.org> wrote: > > - All support for PGP-2 keys has been removed for security reasons. > > Does this mean that documents signed decades ago with PGP2 can no longer > be verified?
Right. It is anyway useless because you have to assume that such signatures are broken. If you want to decrypt you should have 1.4 versions somewhere. See the whats-new-in-2.1 article: 1.2 Removal of PGP-2 support ──────────────────────────── Some algorithms and parts of the protocols as used by the 20 years old [PGP-2] software are meanwhile considered unsafe. In particular the baked in use of the [MD5] hash algorithm limits the security of PGP-2 keys to non-acceptable rate. Technically those PGP-2 keys are called version 3 keys (v3) and are easily identified by a shorter fingerprint which is commonly presented as 16 separate double hex digits. With GnuPG 2.1 all support for those keys has gone. If they are in an existing keyring they will eventually be removed. If GnuPG encounters such a key on import it will not be imported due to the not anymore implemented v3 key format. Removing the v3 key support also reduces complexity of the code and is thus better than to keep on handling them with a specific error message. There is one use case where PGP-2 keys may still be required: For existing encrypted data. We suggest to keep a version of GnuPG 1.4 around which still has support for these keys (it might be required to use the `--allow-weak-digest-algos' option). A better solution is to re-encrypt the data using a modern key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
