Re: pgp in Debian: obsolete?
On Thu, Aug 12, 2004 at 11:20:28PM +0200, Florian Weimer wrote: Quoting Florian Weimer ([EMAIL PROTECTED]): Just out of curiosity, are there now, or have there been in the past, any _other_ implementations of the OpenPGP spec, besides GnuPG? GnuPG is not a complete implementation of OpenPGP, either. Other partial implementations are contained in some PGP products, some NAI products, CryptoEx by Glück Kanja, and so on. There is HushMail, too. -- Lionel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
On Tue, Aug 10, 2004 at 02:51:19PM -0700, Rick Moen wrote: Quoting Ian Beckwith ([EMAIL PROTECTED]): Do you have links to documentation of these issues or where to get the pirated versions? How pirated/illegal are they? License permitting, I could maybe take patches from them. Quoting the licence for pgpi 6.5.8: The source code contained herein is not intended to allow the development of source code or software for commercial distribution. No modifications to the source code contained in this book are allowed and any further redistribution of the source code in any modified form is expressly prohibited. I assumed this would be taken care of by the fact we distribute the .orig.tar.gz. If that's not enough, then I assume we can't distribute it at all, not even in non-free. Ian. -- Ian Beckwith - [EMAIL PROTECTED] - http://nessie.mcc.ac.uk/~ianb/ GPG fingerprint: AF6C C0F1 1E74 424B BCD5 4814 40EC C154 A8BA C1EA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
Hi, Phillip Hofmeister wrote: If you wanted to make a second version of GPG and place it in non-free, that would likely be an acceptable option. You don't need to make a second version of GPG; the IDEA module can be loaded dynamically. -- Matthias Urlichs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
On Thu, 12 Aug 2004 at 03:35:29AM -0400, Matthias Urlichs wrote: Hi, Phillip Hofmeister wrote: If you wanted to make a second version of GPG and place it in non-free, that would likely be an acceptable option. You don't need to make a second version of GPG; the IDEA module can be loaded dynamically. Then the module would need to be in non-free. -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
* Phillip Hofmeister: You don't need to make a second version of GPG; the IDEA module can be loaded dynamically. Then the module would need to be in non-free. non-us, I think. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
On Thu, 12 Aug 2004, Florian Weimer wrote: You don't need to make a second version of GPG; the IDEA module can be loaded dynamically. Then the module would need to be in non-free. non-us, I think. non-free in non-us, actually. And maybe not even there, since the IDEA patent is a problem in europe. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
* Ian Beckwith: On Sat, Aug 07, 2004 at 09:17:38PM +0200, Florian Weimer wrote: Both PGP 5 and 6.5 have security issues which haven't been fixed upstream (because there isn't any upstream anymore). There are some pirated versions of 6.5.8 that incorporate fixes, but Debian certainly shouldn't encourage distribution of them. Hmm. Do you have links to documentation of these issues IIRC, there's a buffer overflow in the UID handling that has never been published. Then there's the Klima-Rosa attack, the lack of an MDC (Modification Detection Code), and one or more user ID handling bugs (see http://www.bluering.nl/pgp/useridbug.txt). I once worked on an OpenPGP implementation vulnerability matrix, but this topic isn't very interesting anymore. For me at least, there's just GnuPG. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
* Henrique de Moraes Holschuh: On Thu, 12 Aug 2004, Florian Weimer wrote: You don't need to make a second version of GPG; the IDEA module can be loaded dynamically. Then the module would need to be in non-free. non-us, I think. non-free in non-us, actually. Why non-free? The code is available under a DFSG-free copyright license. And maybe not even there, since the IDEA patent is a problem in europe. non-US is just a misnomer. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
On Thu, 12 Aug 2004, Florian Weimer wrote: * Henrique de Moraes Holschuh: On Thu, 12 Aug 2004, Florian Weimer wrote: You don't need to make a second version of GPG; the IDEA module can be loaded dynamically. Then the module would need to be in non-free. non-us, I think. non-free in non-us, actually. Why non-free? The code is available under a DFSG-free copyright license. The one I have here isn't, but if you have one that is entirely DFSG-free, that's much better. The whole issue with IDEA has always been the patents, anyway. The non-DFSG-freeness of the IDEA module (or of certain versions of it, anyway) look a lot like an attempt of the author to protect himself from patent problems. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
* Henrique de Moraes Holschuh: Why non-free? The code is available under a DFSG-free copyright license. The one I have here isn't, but if you have one that is entirely DFSG-free, that's much better. An older version is available from: http://www.linuxmafia.com/pub/linux/security/gnupg/idea.c -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
Quoting Florian Weimer ([EMAIL PROTECTED]): * Henrique de Moraes Holschuh: Why non-free? The code is available under a DFSG-free copyright license. The one I have here isn't, but if you have one that is entirely DFSG-free, that's much better. An older version is available from: http://linuxmafia.com/pub/linux/security/gnupg/idea.c (Hey, that's my living room. ;- ) Although idea.c copyright holder Werner Koch licenses his copyright under BSD terms, the header details Ascom AG's patent licence terms (free of charge for non-commercial use). As others have said, it's solely the patent that's the problem -- but that patent makes the code non-free in all countries where the patent still has force: I'm pretty sure that's just about everywhere. Patent expires in 2011, by the way. (Possibly a bit later in some places. There were filings in at least the USA, European Patent Office, and Japan, to my knowledge.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
Quoting Florian Weimer ([EMAIL PROTECTED]): I once worked on an OpenPGP implementation vulnerability matrix, but this topic isn't very interesting anymore. For me at least, there's just GnuPG. Just out of curiosity, are there now, or have there been in the past, any _other_ implementations of the OpenPGP spec, besides GnuPG? I tried to find some, when I was preparing my lecture on GnuPG[1], and couldn't find any. [1] GnuPG Lecture on http://linuxmafia.com/kb/Security/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
* Rick Moen: Quoting Florian Weimer ([EMAIL PROTECTED]): I once worked on an OpenPGP implementation vulnerability matrix, but this topic isn't very interesting anymore. For me at least, there's just GnuPG. Just out of curiosity, are there now, or have there been in the past, any _other_ implementations of the OpenPGP spec, besides GnuPG? GnuPG is not a complete implementation of OpenPGP, either. Other partial implementations are contained in some PGP products, some NAI products, CryptoEx by Glück Kanja, and so on.
Re: pgp in Debian: obsolete?
On Tue, 10 Aug 2004 at 05:51:19PM -0400, Rick Moen wrote: Quoting Ian Beckwith ([EMAIL PROTECTED]): Do you have links to documentation of these issues or where to get the pirated versions? How pirated/illegal are they? License permitting, I could maybe take patches from them. Quoting the licence for pgpi 6.5.8: The source code contained herein is not intended to allow the development of source code or software for commercial distribution. No modifications to the source code contained in this book are allowed and any further redistribution of the source code in any modified form is expressly prohibited. Which is a clear violation of the social contract. If you wanted to make a second version of GPG and place it in non-free, that would likely be an acceptable option. -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
On Sat, Aug 07, 2004 at 09:17:38PM +0200, Florian Weimer wrote: Both PGP 5 and 6.5 have security issues which haven't been fixed upstream (because there isn't any upstream anymore). There are some pirated versions of 6.5.8 that incorporate fixes, but Debian certainly shouldn't encourage distribution of them. Hmm. Do you have links to documentation of these issues or where to get the pirated versions? How pirated/illegal are they? License permitting, I could maybe take patches from them. Ian. -- Ian Beckwith - [EMAIL PROTECTED] - http://nessie.mcc.ac.uk/~ianb/ GPG fingerprint: AF6C C0F1 1E74 424B BCD5 4814 40EC C154 A8BA C1EA Listening to: Nusrat Fateh Ali Khan Michael Brook - Asian Travels - Sweet Pain -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
Quoting Ian Beckwith ([EMAIL PROTECTED]): Do you have links to documentation of these issues or where to get the pirated versions? How pirated/illegal are they? License permitting, I could maybe take patches from them. Quoting the licence for pgpi 6.5.8: The source code contained herein is not intended to allow the development of source code or software for commercial distribution. No modifications to the source code contained in this book are allowed and any further redistribution of the source code in any modified form is expressly prohibited. -- Cheers, Founding member of the Hyphenation Society, a grassroots-based, Rick Moen not-for-profit, locally-owned-and-operated, cooperatively-managed, [EMAIL PROTECTED] modern-American-English-usage-improvement association. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In short, better package the IDEA module for GnuPG... I did some work on this sometime ago, based on a previous package. The work is here: http://tiefighter.et.tudelft.nl/~arthur/gnupg-idea/ It is sort of an source-based installer. You get the source, when building the package it downloads the source and creates a binary package. The source file idea.c is however not DFSG free because the copyrights notice forbids distribution in ceirtain coutries (and that is apart from the patent issue). - -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBFgCcVYan35+NCKcRApPzAJwPLdZp3KY7xHxOI0HkwawSj+rhSQCg2rSl +AZ8E4yeCiJFEwHGzf/Ephw= =9S/q -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
http://tiefighter.et.tudelft.nl/~arthur/gnupg-idea/ It is sort of an source-based installer. You get the source, when building the package it downloads the source and creates a binary package. The source file idea.c is however not DFSG free because the copyrights notice forbids distribution in ceirtain coutries (and that is apart from the patent issue). do we know who the original author of that file was? and what country they wrote the code in? a lot of times, those copyright notices are applied in order to protect the author from possible violations of US export controls. the original author may now be able to relicense the code with a more compatible set of restrictions... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
* Arthur de Jong: In short, better package the IDEA module for GnuPG... I did some work on this sometime ago, based on a previous package. The work is here: http://tiefighter.et.tudelft.nl/~arthur/gnupg-idea/ It is sort of an source-based installer. You get the source, when building the package it downloads the source and creates a binary package. The source file idea.c is however not DFSG free because the copyrights notice forbids distribution in ceirtain coutries (and that is apart from the patent issue). There are versions of idea.c for GnuPG which haven't got such restrictions. (The patent problem is unrelated and still applies, of course.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
Thanks to everyone for your comments. On Thu, Aug 05, 2004 at 06:58:58PM +0100, Dale Amon wrote: Keep in mind people may have encrypted files and email archived. The means of accessing archive data should be considered to be at least as immortal as the data itself. Given this and Rick Moen's comments about the IDEA issue, I think it's worth keeping pgp in. I shall attempt to get an updated pgp5i with FTBFS fixes into sarge, and post-sarge I will package 6.5.8 and get the package renamed from pgp5i to pgp. Unfortunately, I'm not yet a DD, so... anyone fancy sponsoring my uploads? Files are at: http://nessie.mcc.ac.uk/~ianb/debian/ Ian. -- Ian Beckwith - [EMAIL PROTECTED] - http://nessie.mcc.ac.uk/~ianb/ GPG fingerprint: AF6C C0F1 1E74 424B BCD5 4814 40EC C154 A8BA C1EA Listening to: Primal Scream - Vanishing Point - Kowalski -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
* Ian Beckwith: I shall attempt to get an updated pgp5i with FTBFS fixes into sarge, and post-sarge I will package 6.5.8 and get the package renamed from pgp5i to pgp. Both PGP 5 and 6.5 have security issues which haven't been fixed upstream (because there isn't any upstream anymore). There are some pirated versions of 6.5.8 that incorporate fixes, but Debian certainly shouldn't encourage distribution of them. In short, better package the IDEA module for GnuPG... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete? [gpg idea support]
On Thu, 2004-08-05 at 14:13, Rick Moen wrote: Just attempting to fill in missing detail: PGP first used for its symmetric cipher Zimmerman's own amateur effort Bass-o-Matic, which was quickly dropped and replaced with the IDEA algorithm. IDEA is patent encumbered (and will remain that way for some years, yet). GnuPG lacks IDEA support. It was included for a while as an optional module, but has bene removed from the tarball. (You can find it and retrofit it, if you search a bit.) That and the lingering IDEA problem (limiting only compatiblity with some PGP 2.x users) are all I'm aware of. PGPi, unlike GnuPG, _does_ include IDEA code by default. I wrote something about IDEA and gnupg a while ago. It's a quick blurb for people who wanted to use IDEA but weren't entirely sure how to do it: http://yak.net/fqa/346.html It's nothing special, but if you were wondering how, it's not very difficult. Enjoy. -- Jake Appelbaum [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
pgp in Debian: obsolete?
Hello. I am in the process of taking over maintenance of pgp5i, based on the international unix version of PGP version 5, pgp50i-unix-src.tar.gz The previous maintainer suspects that nobody uses the package anymore so it can be removed from debian, as everyone has switched to gpg. Is anyone still using pgp5i in debian? If there is a demand for it, is there any reason I shouldn't upgrade to the package to the latest pgp? (6.5.8 I believe, assuming the international pgp restrictions no longer apply). thanks, Ian. -- Ian Beckwith - [EMAIL PROTECTED] - http://nessie.mcc.ac.uk/~ianb/ GPG fingerprint: AF6C C0F1 1E74 424B BCD5 4814 40EC C154 A8BA C1EA Listening to: Anne Dudley and Jaz Coleman - Hannah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
On Thu, Aug 05, 2004 at 06:51:22PM +0100, Ian Beckwith wrote: If there is a demand for it, is there any reason I shouldn't upgrade to the package to the latest pgp? (6.5.8 I believe, assuming the international pgp restrictions no longer apply). Keep in mind people may have encrypted files and email archived. The means of accessing archive data should be considered to be at least as immortal as the data itself. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
Quoting Dale Amon ([EMAIL PROTECTED]): On Thu, Aug 05, 2004 at 06:51:22PM +0100, Ian Beckwith wrote: If there is a demand for it, is there any reason I shouldn't upgrade to the package to the latest pgp? (6.5.8 I believe, assuming the international pgp restrictions no longer apply). Keep in mind people may have encrypted files and email archived. The means of accessing archive data should be considered to be at least as immortal as the data itself. Aren't GnuPG's decryption/verification features a superset of those in PGPi 5.0? That's not a rhetorical question: I've been telling people that for years in a good faith effort at accuracy, and so will appreciate any corrections. (I mean no disrespect to Ståle Schumacher Ytteborg or others who gave us PGPi 5.0, which was extremely useful before GnuPG and the OpenPGP RFCs.) Speaking from slightly rusty recollection of the issues on Ian's original question, 6.5.8 is indeed the latest PGPi version for Unix, and I can't see any reason in the tarball why upgrading the package wouldn't be a good thing (but it'd be nice if NAI decided they liked Changelogs). -- Cheers, That scruffy beard... those suspenders... that smug ex- Rick Moen pression You're one of those condescending Unix users! [EMAIL PROTECTED] Here's a nickel, kid. Get yourself a real computer. -- Dilbert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
On Thu, Aug 05, 2004 at 11:40:09AM -0700, Rick Moen wrote: Keep in mind people may have encrypted files and email archived. The means of accessing archive data should be considered to be at least as immortal as the data itself. Aren't GnuPG's decryption/verification features a superset of those in PGPi 5.0? That's not a rhetorical question: I've been telling people that for years in a good faith effort at accuracy, and so will appreciate any corrections. I don't know for sure either. I do seem to remember there was a document explaining how to transition and that there was a new key generation method. I also vaguely remember having some problem with my own package signing keys when the switch was made from PGP to GPG, but that is 4-5 years ago and I cannot for the life of me remember the details. I just have a vague disquiet about it. I'm certain that somewhere I've got files using the old keys, and since I'm in Ireland, Murphy will drop in for tea the day after PGP goes away... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
Quoting Dale Amon ([EMAIL PROTECTED]): I don't know for sure either. I do seem to remember there was a document explaining how to transition and that there was a new key generation method. I also vaguely remember having some problem with my own package signing keys when the switch was made from PGP to GPG, but that is 4-5 years ago and I cannot for the life of me remember the details. I just have a vague disquiet about it. Just attempting to fill in missing detail: PGP first used for its symmetric cipher Zimmerman's own amateur effort Bass-o-Matic, which was quickly dropped and replaced with the IDEA algorithm. IDEA is patent encumbered (and will remain that way for some years, yet). GnuPG lacks IDEA support. It was included for a while as an optional module, but has bene removed from the tarball. (You can find it and retrofit it, if you search a bit.) The problems with dodgy RSA support have, as you mentioned, now gone away: One can achieve maximum compatibility with various PGP versions by avoiding mixing RSA and Diffie-Hellman / DSS, as detailed here: http://www.shub-internet.org/pgp_5_tips.html That and the lingering IDEA problem (limiting only compatiblity with some PGP 2.x users) are all I'm aware of. PGPi, unlike GnuPG, _does_ include IDEA code by default. -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]