15 January 2002: Add NAI/PGP response.
15 January 2002
From: "Axel H Horns" <horns@ipjur.com>
To: cryptography@wasabisystems.com
Date: Tue, 15 Jan 2002 09:42:32 +0100
Subject: Re: PGP & GPG compatibility On 3 Jan 2070, at 9:41, Nicholas Brawn wrote: > What's the state of the game with PGP and GPG compatibility? Interesting question. I'm using PGP 6.5.8 for my professional confidential e-mails and sometimes I get complaints from GnuPG users saying they can't use my Pubkey. Currently I'm preparing an article on Internet security issues related to the businesses of attorneys-at-law and patent attorneys. In this context, it is already a hard job to promote usage of e-mail encryption, and such incompatibilities between various versions of PGP and GnuPG marke it even harder. Is there any URL available where I might get more detailed info? Thanks. Regards, Axel H Horns -- Patentanwalt Dipl.-Phys. Axel H Horns e-Mail horns@ipjur.com Web www.ipjur.com Voice ++49.89.30630112 Fax ++49.89.30630113 My PGP RSA Key ID = 0xD8433289 http://www.ipjur.com/pubkey.php3 PGP Pubkey Fingerprint C5D2 5E53 D241 4988 17E4 904D 9467 31BC
To: cryptography@wasabisystems.com Subject: Re: PGP & GPG compatibility From: Werner Koch <wk@gnupg.org> Date: Tue, 15 Jan 2002 13:19:35 +0100 On Sat, 3 Jan 1970 09:41:26 +1000, Nicholas Brawn said: > What's the state of the game with PGP and GPG compatibility? According to the bug reports I receive for GnuPG, it seems that even the latest versions of PGP (7.0.3?) are still not OpenPGP compatible. At least they still don't understand version 4 signatures on data packets (only on keys). I had in mind that this was fixed some time ago, but obviously this isn't the case. There is a problem wrt text mode signatures: no agreement was found on what a line ending consists of. PGP translates a CR inside a line (well, what most non Apple programmers consider a line ending) into a CR,LF sequence for hashing. The proper solution is not to use textmode signatures except for cleartext signed messages. About two years ago we agreed on a way to implement MDC and defined new packet types for it. I did some tests with Hal Finney and it used to work. The OpenPGP draft was later changed to introduce key flags and use one to enable MDC mode. However, GnuPG uses MDC mode with all ciphers of a block length other than 64 bits (i.e. Twofish and AES*). The draft has still not been released as a new RFC so this may change again :-(. The flaw in the secret key protection mechanism was discussed for a short time but it seems that nobody is willing to continue with this. I made several suggestion on how to do it. Interoperability tests should have happened last summer but for unknown reasons they didn't. It is very sad to see that after 3 years we have not achieved to get OpenPGP into draft status :-(. Werner -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus
To: cryptography@wasabisystems.com Subject: Re: PGP & GPG compatibility From: Werner Koch <wk@gnupg.org> Date: Tue, 15 Jan 2002 18:32:01 +0100 On Tue, 15 Jan 2002 09:42:32 +0100, Axel H Horns said: > I'm using PGP 6.5.8 for my professional confidential e-mails and > sometimes I get complaints from GnuPG users saying they can't use my > Pubkey. So, you can't decrypt the attached message? Or does this problem only occur with another key? I have never received a bug report regarding such a problem. BTW, even NAI says that PGP (before 7.0) is not OpenPGP compliant. Werner -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus
To: Werner Koch <wk@gnupg.org> Cc: cryptography@wasabisystems.com Subject: Re: PGP & GPG compatibility From: Derek Atkins <warlord@MIT.EDU> Date: 15 Jan 2002 15:06:42 -0500 Is there even development on the PGP (product) line? AFAIK they (NAI) have not release PGP 7.x in source form. Worse, there are a couple of bugs I found in 6.5.8 when I was porting it to Tru64, but who knows if anyone is listening over at NAI. It's a sad state of affairs. Perhaps I should go into "PGP consulting", but I don't know if anyone would pay me to support PGP for them.... -derek [Werner Koch message above snipped.]
Date: Tue, 15 Jan 2002 14:49:01 -0600 From: Matt Crawford <crawdad@fnal.gov> Subject: Re: PGP & GPG compatibility To: Derek Atkins <warlord@MIT.EDU> Cc: Werner Koch <wk@gnupg.org>, cryptography@wasabisystems.com > Is there even development on the PGP (product) line? AFAIK > they (NAI) have not release PGP 7.x in source form. Worse, there > are a couple of bugs I found in 6.5.8 when I was porting it > to Tru64, but who knows if anyone is listening over at NAI. Years ago I bought a few copies of commercial PGP with support. I sent in three separate bug reports, some of them dead simple to reproduce, and never got anything back except placebo talk.
To: Matt Crawford <crawdad@fnal.gov> Cc: Werner Koch <wk@gnupg.org>, cryptography@wasabisystems.com Subject: Re: PGP & GPG compatibility From: Derek Atkins <warlord@MIT.EDU> Date: 15 Jan 2002 15:53:59 -0500 Matt Crawford <crawdad@fnal.gov> writes: [Message above snipped.] I think people used to get better support when I personally answered pgp-bugs@mit.edu. I stopped providing that service due to lack of time, and I'm afraid that PGP support went out the window. From my perspective, NAI never provided any support for PGP -- even when I submitting patches, they would ignore them. Even worse, when I *DID* respond to someone on pgp-bugs, I'd get a response from NAI saying that they couldn't help me! Yes, those bozos actually responded to my _answer_ with a "we cannot help you" message. Sigh. So, no, I'm not surprised to hear this from an actual paying customer. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available
Date: Tue, 15 Jan 2002 17:25:15 -0800 From: Will Price <wprice@cyphers.net> To: cryptography@wasabisystems.com Subject: Re: PGP & GPG compatibility Werner Koch wrote: > According to the bug reports I receive for GnuPG, it seems that > even the latest versions of PGP (7.0.3?) are still not OpenPGP > compatible. No, the latest version for Win32 is 7.1.1, and for MacOS 9 it is 7.1.0. I think it should be pointed out what a loaded statement the above is as well. That's like saying, "have you stopped beating your wife?" I would encourage some objectivity on that. > At least they still don't understand version 4 signatures on data > packets (only on keys). I had in mind that this was fixed some > time ago, but obviously this isn't the case. I'm fairly sure we support that in 7.1.0 and up. > There is a problem wrt text mode signatures: [..] That's not the only problem with text mode signatures. International characters present an even larger challenge. Most of this is not PGP/GPG's problem technically. The plethora of mail clients out there don't handle it well either. Going forward, UTF8 migration is likely to cause some growing pains for everybody. > Interoperability tests should have happened last summer but for > unknown reasons they didn't. It is very sad to see that after 3 > years we have not achieved to get OpenPGP into draft status :-(. It is a mystery to us as well what happened with that... We were ready to proceed, but we were not the organizer so it was out of our hands. Derek Atkins wrote: > Is there even development on the PGP (product) line? Well, yes, but see: http://www.pgp.com/other/jump/customer-faq.asp The products you know as "PGP" are in a "maintenance mode" "until a transition agreement is developed with a purchasing vendor". So, we currently are in the process of working through that. We just released PGP 7.1.1 last week, so development does continue in the meantime. > AFAIK they (NAI) have not release PGP 7.x in source form. Not true. See: http://www.pgp.com/downloads/pgpsdk-agreement.asp The SDK (which still includes little bits of your code Derek, and all other crypto/network/passphrase and even all the UI code which interacts with the crypto related code) has been published up through 7.1.1. The Windows GUI was last published at 6.5.8. > Worse, there are a couple of bugs I found in 6.5.8 when > I was porting it to Tru64, but who knows if anyone is > listening over at NAI. I don't know who you sent these to. You could always have sent diffs directly to me to make sure they get handled. The official address for these things remains peerreview@pgp.com. I am on that list so you couldn't have sent it to that one either since I haven't seen any diffs from you ever as far as I can recall. > I think people used to get better support when I personally > answered pgp-bugs@mit.edu. I stopped providing that service due to > lack of time, and I'm afraid that PGP support went out the window. > From my perspective, NAI never provided any support for PGP -- even > when I submitting patches, they would ignore them. It's always nice to find people willing and able to provide support for free. In the real world, that rarely happens even for free products (Cygnus, etc.). Outside firms have rated our PGP support 6.3 out of 7 based on customer surveys. Mind you, the people surveyed are the people who pay for the software. Our support really is quite good for enterprise customers, but admittedly can be considered weak or non-existent for freeware users. Without a support contract, I can see how some people could find PGP support frustrating. Many of our developers lurk in PGP newsgroups/mailing lists though and regularly help users out there on an informal basis. A few weeks ago, I spent over $30 on a support call to Intuit. I was incensed! I almost paid more to ask them why it doesn't work than I did to buy their product. On the other hand, I don't see how else they could do it and still make money. I don't really see any great solutions to mass consumer tech support, and frankly there isn't much of a paying market among consumers anyway. So, I applaud all those who offer free support, I do it myself quite often, but there's only so much time in a day. Side note, this may all be a moot point if a "transition agreement with a purchasing vendor" is not worked out RSN. -- Will Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc.
To: wprice@cyphers.net Cc: cryptography@wasabisystems.com Subject: Re: PGP & GPG compatibility From: Derek Atkins <warlord@MIT.EDU> Date: 15 Jan 2002 20:44:50 -0500 Will Price <wprice@cyphers.net> writes: > The SDK (which still includes little bits of your code Derek, and all > other crypto/network/passphrase and even all the UI code which > interacts with the crypto related code) has been published up through > 7.1.1. The Windows GUI was last published at 6.5.8. Does this include the Unix CLI? (And yes, I know a lot of my code is in there.. I was amused when I ported 6.5.8 to Tru64. I was also surprised (but relieved) at the re-write of the Ascii Parser). > > Worse, there are a couple of bugs I found in 6.5.8 when > > I was porting it to Tru64, but who knows if anyone is > > listening over at NAI. > > I don't know who you sent these to. You could always have sent diffs > directly to me to make sure they get handled. The official address > for these things remains peerreview@pgp.com. I am on that list so you > couldn't have sent it to that one either since I haven't seen any > diffs from you ever as far as I can recall. I sent patches to pgp-bugs@pgp.com. Is peerreview@pgp.com documented anywhere? The particular bug is the COMMENT handling in the binary parser. > Side note, this may all be a moot point if a "transition agreement > with a purchasing vendor" is not worked out RSN. So, um, what happens then? If NAI cannot find a buyer, will they bury the code? Or will NAI donate the code to the OpenSource community? If they cannot find a buyer will they relinguish the commercial rights to the OpenSource version (i.e. so that commercial entities can use the freeware)? > -- Will > > Will Price, Director of Engineering > PGP Security, Inc. > a division of Network Associates, Inc. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available