Derek,
On Monday, Mar 10, 2003, at 12:30 US/Eastern, Derek Atkins wrote:
The problem is not the use of the program (indeed, I haven't run pgp
2.6 in ages, I've been running pgp6). The problem is all the data
encrypted using old keys and algorithms.
I've got thousands of messages encrypted in my PGP2 RSA key using IDEA
and MD5. Frankly, I don't want to go through my mail and re-encrypt
all those messages using OpenPGP encryption -- I want to just be able
to read those messages in the future.
Ah, thanks for the use case. I think I understand. I think that could
be achieved by you using an OpenPGP program that MAY support IDEA
decryption, no?
"An OpenPGP MAY support decryption of IDEA-encrypted messages but MUST
NOT generate them."
Or if that really, really is considered too weak: "An OpenPGP
implementation SHOULD support decryption of IDEA-encrypted messages but
MUST NOT generate them."
Is there any objection to the MUST NOT bit? I would think that
addressing Derek's use case removes any barrier for people to upgrade
to a recent OpenPGP implementation. And in that case we should really
kill of the support for those who insist on using outdated software. We
don't want to support Mediacrypt until 2011.
Killing of the sending of IDEA-encrypted messages also addresses my
concern: I will be able to decrypt any OpenPGP message sent to me
without being legally required to pay IDEA licensing fees. And Derek
can keep reading his existing mail.
Admittedly, if there were a tool I could use that would do the
re-encryption for me I might consider it,
What kind of message formats would it be required to handle?
but I have no inclination to
write such a tool at this moment. However, this means that I will
always run a version of PGP that can read those messages. If RSA,
IDEA, and MD5 are not available algorithms, that's a clue to me that I
shouldn't upgrade.
Cheers,
-J