ietf-openpgp
[Top] [All Lists]

Re: Further deprecating PGP2

2003-03-11 10:25:05

Jeroen van Gelderen <jeroen(_at_)vangelderen(_dot_)org> writes:

Derek,

On Monday, Mar 10, 2003, at 12:30 US/Eastern, Derek Atkins wrote:
The problem is not the use of the program (indeed, I haven't run pgp
2.6 in ages, I've been running pgp6).  The problem is all the data
encrypted using old keys and algorithms.

I've got thousands of messages encrypted in my PGP2 RSA key using IDEA
and MD5.  Frankly, I don't want to go through my mail and re-encrypt
all those messages using OpenPGP encryption -- I want to just be able
to read those messages in the future.

Ah, thanks for the use case. I think I understand. I think that could
be achieved by you using an OpenPGP program that MAY support IDEA
decryption, no?

Sure, that would be fine...

"An OpenPGP MAY support decryption of IDEA-encrypted messages but MUST
NOT generate them."

I wouldn't say MUST NOT generate; I think it's a bit too strong.
Generally, MUST NOT is used when using something would be detrimental
(e.g. it would be a security problem, or cause immeasurable interop
problems).  For example, one MUST NOT use "rot13" encryption.  I don't
see why supporting/using IDEA falls into this category.  Therefore, I
would say "SHOULD NOT encrypt using IDEA".  Is there some technical
reason why IDEA "MUST NOT" be used?

Killing of the sending of IDEA-encrypted messages also addresses my
concern: I will be able to decrypt any OpenPGP message sent to me
without being legally required to pay IDEA licensing fees. And Derek
can keep reading his existing mail.

I think MAY decrypt and SHOULD NOT encrypt gets you the same thing,
without making PGP.Com's implementation non-compliant for wanting to
support older algorithms.

Admittedly, if there were a tool I could use that would do the
re-encryption for me I might consider it,

What kind of message formats would it be required to handle?

Basically I want a tool that will walk through my email messages and
every time it finds a PGP block inside the message it replaces that
PGP block with a new PGP block which is a re-encrypted version.  In other
words, it looks for files that look like:

        blah blah blah
        ----- BEGIN PGP MESSAGE -----
        [radix64 snipped]
        ----- END PGP MESSAGE ----
        blah blah blah

And replaces it with:

        blah blah blah
        ----- BEGIN PGP MESSAGE -----
        [re-encrypted message in radix64 snipped]
        ----- END PGP MESSAGE -----
        blah blah blah

I'll give you extra points if the timestamp on the message is not changed.
;)

-derek
-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek(_at_)ihtfp(_dot_)com             www.ihtfp.com

<Prev in Thread] Current Thread [Next in Thread>