-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
From: "Werner Koch" <wk(_at_)gnupg(_dot_)org>
The real problem is the continued use of IDEA, especially to protect
secret keys. A strong word that the use of IDEA is deprecated would
be helpful.
My guess is that this is a reaction to IDEA's patent encumberment.
If so, I disagree with Werner. The spec should certainly point
out the patent issue, but that shouldn't be grounds for deprecation.
Those using v4 keys can express their preference for other
algorithms. Most v3 key users are stuck with IDEA anyway, so
marking it deprecated won't sway them.
(If Werner's talking about the non-S2K protection of secret
keys, that is already described as deprecated.)
Or, perhaps there has been a recent vulnerability discovered
in IDEA that I've missed. If so, could someone provide a reference?
From: "Jon Callas" <jon(_at_)callas(_dot_)org>
Personally, I'd love to deprecate PGP 2.6. Almost all the interoperability
problems we have revolve around it.
Are you talking about merely marking it deprecated, or are you
contemplating removing some of the PGP2 interoperability
discussion?
Three are lots of v3-based signatures out there. They're a major
contributor to the "web of trust". I think it's important to
retain at least the key and signature format material.
The PGP2 handling of symmetric-key message encryption is already
marked as deprecated.
I'd be happy to see more of the PGP2 idiosyncracies moved out of the
mainline into an interoperability section, but I think it would be a
great disservice to drop them entirely.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQA/AwUBPmjVJOc3iHYL8FknEQJR+QCg2Ca2UtToYOWplnpfH+xNiaGpfroAoIi7
UDLIzAjWLXWtowiDqFmj3KwQ
=K6+e
-----END PGP SIGNATURE-----