Differences amoung PGP/GPG versions

E. Wiliam Horne bill at horne.net
Fri Nov 2 13:12:45 EST 2001 

Derek Atkins wrote:
>
>>"E. William Horne" <bill at stalwart.ne.mediaone.net> wrote:
>
>[snip]
>
>> Please take the time to supply the list with a comparison chart for the
>> various versions of PGP/GPG now available, including interoperable systems
>> that are not in the PGP family.
>
>It's actually fairly simple.  There was a split between PGP 2.x and
>PGP 5.x.  (I'm discounting the split at PGP 2.3a | PGP 2.5).  The
>later versions of PGP can read all the older messages, but the older
>versions can not necessarily read the newer messages.  What really
>matters are the algorithms.  PGP 2.x only supports RSA/MD5/IDEA.
>Later versions support a wider range.  If you match algorithms then
>you can interoperate.
>
>The issue with GPG is that by default it only supports "free"
>algorithms.  Because IDEA is patented, it doesn't come with GPG by
>default.  There is a module to add IDEA support, and you need to get
>that module in order to interoperate with older versions of PGP.
>
>> I'm particularly interested in integration with S/MIME, the availability
>> and usefullness of Verisign/Thwarte keys, and ways to make the system(s)
>> transparent to end users, especially those of us whom use Lotus Notes at
>> our jobs and need to interoperate with other companies.
>
>S/MIME is a completely different beast, and is non-interoperable with
>PGP.  It's like apples and oranges.  There is PGP-MIME, which performs
>the same tasks as S/MIME but it uses PGP instead of the S/MIME syntax.
>I don't think that Verisign or Thwarte[sic] actually sign PGP keys,
>only X.509 keys, so I don't think you can use those certificates
>directly with PGP [ note: there has been some work to get x.509 keys
>into PGP, but it is unclear how "standard" that is ].
>
>Integration really is the issue, and it's a hard one.  Some applications
>just don't allow for easy integration.
>
>At this point in time there is no good answer.  I know that isn't what
>you want to hear, but it's all I can give you at the moment.
>
>I'd certainly be willing to put some time into an integration effort,
>provided someone was footing the bill ;)
>
>> Thanks in advance.
>
>I hope this helps (and feel free to forward this back to the list)

Derek,

Thanks for your explanation. I'll go to the well one more time, and ask
that you/the list broaden the discussion to include X.509 certificate
signing and ask the list if the BLU should get involved with that.

While I realize the PGP/GPG is a separate system than the X.509 model,
I'm trying to find ways to make both interoperate. If that means writing
Java to plug into Netscape, or other ways to make PGP/GPG transparent to
end users, then that's what I'm after.

HTH. I'll put "Thawte" into my spell checker ;-J.

Bill Horne

More information about the Discuss mailing list