On Nov 30, 2008, at 11:40 PM, Robert J. Hansen wrote:
Myckel Habets wrote:
The person who said to me that the key validates as bad uses the
PGPkeys
program from the PGP corporation software (version 6.58, last version
that was released when Phil Zimmerman worked there, he doesn't trust
later versions) to do the validation.
This is factually untrue.
Phil Z. left PGP Security, a branch of Network Associates, in early
2001. This would've been just after the PGP 7.1 release. Phil
himself
has sworn to the solidness of the PGP 7.0 and 7.1 releases. Despite
there being no source release, most people -- myself included --
consider Phil's word to be good.
Network Associates shut down PGP Security in early 2001. PGP
Corporation was formed as a completely separate business entity which
purchased the desktop PGP products from Network Associates. Most of
the
key players from PGP Security came on board at the new PGP
Corporation.
Phil Z. has officially left PGP Corporation to pursue other interests,
if memory serves. This doesn't surprise me in the least. After a
decade and a half at the same job, he's entitled to do other
things. As
of late, secure internet telephony has been his object of interest.
That said, Phil is still in close contact with many of the principal
people at PGP Corporation.
1) What is causing this problem? Is my key really bad or is this an
incompatibility between PGPkeys version 6.58 and GPG?
Toyota has a philosophy that when investigating failures, one should
ask
"why?" multiple times.
Q. Why is this failure occurring?
A. Your friend is using an antique version of PGP.
Q. Why is your friend using an antique version of PGP?
A. Your friend doesn't trust versions Phil hasn't worked on.
Q. Why does your friend mistakenly think Phil hasn't worked on
7.0 and later versions?
A. ... I don't know. You may want to look into this.
As far as engineering maxims go, the Toyota school of thought is
pretty
good. Find the deepest level of failure and fix that, rather than
fixing superficial problems.
I think that last question is irrelevant, as it follows from the
"doesn't trust versions that Phil hasn't worked on", which makes it
derived from a false premise. It does not matter whether Phil has
worked on 7.0 and later, or indeed any version of PGP, because Phil
being involved does not ipso facto cause PGP to be good (for whatever
value of "good" you like). If the equation is "Phil involved == good
PGP", and "Phil not involved == bad PGP" then the battle for making
intelligent decisions about PGP has been lost from the start. Phil is
a good guy, and he did start something huge, but his involvement is
not magic pixie dust that causes crypto goodness to spring into being.
Other people have suggested convincing your friend to use a more
recent
version of PGP, or a recent version of GnuPG. It's good advice, as
far
as it goes. I think the problem goes deeper than that, however.
I think it does as well. Once upon a time, I spent a lot of hours
coding various workarounds in GnuPG for old versions of PGP. This is
where the --pgp2, --pgp6, --pgp7, etc, flags in GnuPG came from. Now,
years later, I sometimes wonder if I made a mistake. Perhaps it would
have been wiser to bite the bullet and let these things break.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
