Re: Please select what kind of key you want ~~ suggestion to developers
On Mon, Feb 23, 2009 at 03:25:02PM -0500, Charly Avital wrote: Robert J. Hansen wrote the following on 2/23/09 2:52 PM: [...] What I'm saying is, the world first needs to learn to read. As far as I am concerned, this sentence is a most gratifying conclusion to this thread. Well, I would suggest that it goes deeper than that. The world first needs to learn to *want* literacy. There is no demand for a thing, no matter its excellence, until people see why they ought to want it. We're at a disadvantage here, compared to the benefits of reading, because successful use of crypto usually goes unnoticed. The most one can hope for is that an attacker will have more persistence than sense, and become intrusive enough to be detected by the wary before he succeeds. The smart ones will either succeed quickly and quietly, or walk away. *Are* there any success stories more compelling than, no compromises that we know of so far? -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpnqgPIZ3JKM.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want
Robert and David, thank you for increasing my understanding and pointing out the errors I made. g. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Please select what kind of key you want ~~ suggestion to developers
The easier it is for beginners to understand PGP/GPG technology, the faster its adoption into general use by the public will occur. Suggestion: add help as an option to gpg --gen-key and gpg --edit-key [ ID ] addkey Example: Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) (h) help on the above choices Sample help: Choice/Description If you choose a sign only key, you may also need to (1) DSA and Elgamal (default) Phasellus interdum nunc eget libero. In ante dui, ... (2) DSA (sign only) Vivamus ut libero eget tortor lobortis ... (5) RSA (sign only) Aliquam sit amet risus auctor felis ... Real and useful text should replace the random lorem ipsum* used in the above example.B-) Additionally, build more help/guidance text into PGP/GPG technology. Users are more likely to implement technologies that they understand once they have achieved a level of comfort with those technologies. Regards, Gerry (Lowry) * source: http://www.lipsum.com/. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
The easier it is for beginners to understand PGP/GPG technology, the faster its adoption into general use by the public will occur. There's a discipline in computer science called human-computer interaction (HCI). I took two courses in this in grad school: not enough to make me an expert, but definitely enough to open my eyes. One of the things my instructor, Juan-Pablo Hourcade, drilled into us is that we genuinely don't know what will speed adoption of new technologies. All we know is what successful technologies look like. Imagine there's a new hotness in IT. (IT: Information Technology.) This new hotness has the potential to change the world in ways that can barely even be explained to people who don't already have the technology. Everyone you meet who has this new technology -- let's call it flerbage -- they've got this magical ability to /know things/. Know things they can't possibly know, that they couldn't possibly have learned. Flerbage is where it's /at/. The only problem is that flerbage is ridiculously user-unfriendly. Most people who use flerbage, this smoking-hot new thing in IT, say it took them between ten and fifteen years to really learn it. The learning curve looks like the freaking Matterhorn. Also, flerbage can't be made easy for beginners to understand. You want flerbage, you're looking at a decade or more of serious, concentrated study. Sure, it's cool, but ... is it worth it? Would you say flerbage was a successful technology? Do you think flerbage will ever catch on? Flerbage is real, by the by. You're using it right now, this very instant. Scroll down and I'll tell you what it is. Literacy. Literacy is the original information technology. People who are literate have an enormous advantage over those who aren't. Wherever you look today you see signs, posters, advertisements, menus, whiteboards, warnings, labels and every other thing imaginable that's written down. Literacy gets taken for granted by almost everyone -- despite the fact that it takes most of your childhood and teenage years to get good at it. So no, I don't agree with your proposition. OpenPGP doesn't need to get easy for beginners to use. If it was that simple, we'd be there already. What needs to happen is the populace needs to understand the risks of electronic communication, and needs to become committed to doing something about it. If you can achieve that, then you will have done something great for humanity. But the world doesn't need another easy to use GnuPG interface. You're essentially saying, what the world needs is a really good book! What I'm saying is, the world first needs to learn to read. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Robert, yes, literacy is important, too. Your counter proposition also has validity. I point out, however, that by the time one is looking at Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) (h) help on the above choices she/he has likely already proceeded far enough along to have achieved some degree of literacy. Having reached that point, with regards to understanding PGP/GPG technology, she/he may still be a novice. Of course, had Michael W. Lucas been a bit clearer in his book, the (h) help on the above choices might not have been of benefit to myself. OTOH, it would nevertheless benefit many of those beginners who might not be aware of MWL's book and who might not have access to anything else written for novices. One problem is that many writers write for an audience that has already achieved domain erudition. Fortunately, for the rest of us, there are authors of __ for Dummies, et cetera. (where __ represents some subject of interest to the reader). So, Robert, I restate my proposition as The easier it is for informed, literate beginners to understand the need for PGP/GPG technology, and the easier it is for them to become aware of the existence of PGP/GPG technology, the faster the adoption of PGP/GPG technology into broad general use by the public will likely occur. Regards, Gerry P.S.: I finished high school in 1965 and went straight into working. In 1967, I became a programmer. Long before user friendliness was a broadly known and often abused concept, I was writing software that truly qualified as user friendly. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Robert J. Hansen wrote the following on 2/23/09 2:52 PM: [...] What I'm saying is, the world first needs to learn to read. As far as I am concerned, this sentence is a most gratifying conclusion to this thread. I am not suggesting to close the thread, on the contrary, keep them coming. Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Robert, yes, literacy is important, too. Your counter proposition also has validity. You missed the point. Refer to my last three sentences. The world doesn't need another easy to use GnuPG interface. You're essentially saying, what the world needs is a really good book! What I'm saying is, the world first needs to learn to read. With respect to claims of experience, I don't put any stock in them, really. Or, as Rodney Whitaker wrote, do not fall into the error of the artisan who boasts of twenty years experience in his craft while in fact he has only one year of experience -- twenty times. As near as I can see, the principal problems are: 1. Gross ignorance 2. Fear of social disapproval With respect to #1... one of the most prestigious crypto conferences out there is called Financial Cryptography. A few years ago some enterprising grad students asked each FC attendee to fill out a very short questionnaire as part of their sign-in process. The results were astonishing: 60% of FC attendees did not know if their email client supported crypto, period -- even fewer knew if it supported OpenPGP or S/MIME. Only 50% were interested in switching to email clients with better crypto support. If only 40% of FC attendees know if their email client supports crypto, and only 50% care enough about crypto to consider changing their email clients, do you really think the general public will jump on board OpenPGP just if we create a snazzy interface with a lot of chrome? That's delusional. With respect to #2... Ed Felten has a really good sociological paper out on the intersection of computer security and the workplace. He and some of his grad students interviewed people at a politically- active nongovernmental organization (NGO) with an awful lot of enemies. Many (most) of the employees had been trained with PGP and found it reasonably easy to use. Despite that, they still didn't use it for email. Felten and his grad students wanted to find out why. It turns out that social disapproval played a very heavy role. There were a couple of people in the NGO who were privacy enthusiasts and active PGP users, and they were considered paranoids by the other workers in the office. Employees said things to the effect of yeah, I know email is dangerous, but I don't want to turn into, you know, one of _those_ guys. ... the general public does not know what email crypto is, does not want to know what email crypto is, does not want to care about email crypto. They just want to send email. Making GnuPG easier to use is a fine goal and worth pursuing in its own right, but it's not going to substantially improve GnuPG's adoption in the world. Saying the world needs a good book, that's why book sales are down! may be a true statement, and may be worth pursuing in its own right. However, the real problem is first we need to learn to read. GnuPG needs a good interface, that'll improve its usage numbers! may be a true statement, and may be worth pursuing in its own right. (In fact, I think it is.) But the real problem is that people don't know, don't want to know, and to the extent they do know they really don't care. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Robert, excellent points. I shall return to my thinking board. Amazing that, in today's world, with events like the infamous 9/11, identity theft, debit and credit card fraud, a plethora of Bernhard Madoffs making Carlo Ponzi sit up in his grave and take notice, and jobs going down the toilet daily, it surprises me that there is so little paranoia. I'm willing to share my paranoia. I've got enough for everybody. Perhaps it can be made into a vaccine.B-) I appreciate your always interesting, knowledgeable, and thoughtful ideas. Regards, Gerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Required reading: Garfinkel, S. L., Margrave, D., Schiller, J. I., Nordlander, E., and Miller, R. C. 2005. How to make secure email easier to use. In _Proceedings of the SIGCHI Conference on Human Factors in Computing Systems_ (Portland, Oregon, USA, April 02 - 07, 2005). CHI '05. ACM, New York, NY, 701-710. DOI= http://doi.acm.org/10.1145/1054972.1055069 Some results from this paper were presented at FC2005, but is not the survey I mentioned in my previous message. That said, the results are substantially similar. The following is excerpted from the paper. If possible, though, I highly recommend you read the entire paper; it's an excellent overview of why secure email has failed to take off. Our survey consisted of 40 questions on 5 web pages. Respondents were recruited through a set of notices placed by Amazon's employees in the Amazon Seller's Forum. Participation was voluntary and all respondents were anonymous. ... A total of 1083 respondents [participated], with 417 of those respondents completing all five pages. ... Average age of our respondents was 41.5. Respondents were highly educated, with more than half claiming an advanced or college degree. Most described themselves as very sophisticated (18.0%) or comfortable (63.7%) using computers and the Internet. Roughly half the correspondents had obtained their first email account in the 1990s. The majority of respondents (94.4%) used computers running Microsoft Windows for email. The two other leading platforms were Apple Macintosh (8.5%) and some kind of mobile computing device such as a cell phone (5.8%). ... A majority (54%) of respondents understood the difference between digital signatures and sealing with encryption; that prior receipt of digitally signed mail significantly increased understanding of that difference; and that having previously received digitally signed email from Amazon increased respondents' overall trust in email. ... The majority (59%) didn't know [if their email client supported encryption], while another 9% chose the answer, what's encryption? ... Respondents with S/MIME-capable mail readers were more than twice as likely to know that their programs were capable of encryption, and half as likely to select the answer What's encryption? Nevertheless, the majority of [S/MIME-enabled] correspondents (54%) did not know the cryptographic capabilities of the software they were using. Almost half of our respondents (44.9%) indicated that they would be willing to upgrade their client in order to get more protection for their email... ... Although roughly half of our respondents indicated that they didn't use cryptography because they didn't know how, the free- response answers from the more knowledgeable respondents indicated that they either didn't think that encryption was necessary or else that the effort, if made, would be wasted. * I don't because I don't care. * I doubt any of my usual recipients would understand the significance of the signature. * Never had the need to send these kinds of emails. * I don't think it's necessary to encrypt my email frankly it's just another step something else I don't have time for! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
On Mon, Feb 23, 2009 at 11:55:51AM -0500, gerry_lowry (alliston ontario canada) wrote: The easier it is for beginners to understand PGP/GPG technology, the faster its adoption into general use by the public will occur. Suggestion: add help as an option to gpg --gen-key and gpg --edit-key [ ID ] addkey Example: Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) (h) help on the above choices While I more or less agree with Robert, and would note that the GPG built-in help is more intended as a reminder for those who already have some understanding of the concepts (you're not going to learn to code in C from the man pages), try typing a '?' here. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Robert J. Hansen wrote: Required reading: And let's add to that: Gaw, S., Felten, E. W., and Fernandez-Kelly, P. 2006. Secrecy, flagging, and paranoia: adoption criteria in encrypted email. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM, New York, NY, 591-600. DOI= http://doi.acm.org/10.1145/1124772.1124862 Again, read the entire thing. Email crypto is seen as the mark of a fearful or paranoid mind. The excerpt here should give you an idea of the paper, and will hopefully inspire you to read it for yourself. Abe worked in development. ... Because he handled financial data, Abe used encryption frequently, particularly when he received records from online donations (I tend to try and be sure I PGP everything that has a credit card number on it). He also communicated with an external vendor for recruitment. They used encryption to protect financial data when they synchronized their copies. Abe believed this setup was simple; he also thought some people ... needed to be more vigilant. He described how he tried to convince the head of campaigns in his home country to use encryption: Why? Because it was just good. If the ... police ever come and bust into the office, you shouldn't have a document saying, 'hey, I'm discussing how I'm going to campaign against [a controversial issue].' It's not the kind of information you want them to have. Despite his reasoned argument, his colleagues were uncooperative: most people see this as more work and want things simpler. ... Many of the employees interviewed ... had limits to their willingness to be more secure. In fact, moving beyond that limit was seen as abnormal or paranoid. ... Abe explained how someone could go overboard when he described how a representative of the PGP Corporation visited [the NGO]. Instead of a typical password authentication, the representative took off his necklace and used a removable flash drive that held his private key. The demonstration discouraged Abe: It was too over-the-top and definitely too complicated. It was like a movie. ... Yeah, I admire him because he comes in and puts his passphrase every single day, three times a day, so that's very dedicated to his stuff. He must either be very scared or very motivated. He was not sure whether this vigilance was justified. In fact, he associated it with being fearful, perhaps irrationally fearful. Abe reiterated this when asked to speculate on why a colleague sent every e-mail message encrypted. He figured this man has an automated system for encrypting e-mail or else he's nuts. ... [big snip here, switching to a different employee, 'Jenny', who has used PGP in the past and understands its use in contexts where secrecy is essential:] ... Jenny also thought it was abnormal to encrypt non-secret information. When the interviewer abstractly explained that people in security suggest all users encrypt all messages, Jenny was baffled: So you're saying that ... people should just -- even _normal_ people? That ... you're sending email to ... your mom, like, 'hey, things are going [pause]'? That you should encrypt your e-mail. That people should do all that. Jenny emphasizes normal people. _Normal_ people wouldn't encrypt normal messages. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
While in general I agree with what you've said in this thread Robert, I do want to present one small ray of hope. At my last job we dealt with a great deal of sensitive information (usually time sensitive, i.e., it would be released eventually but needed to be just right first) and being the dreaded technologist in a managerial role I strongly advocated the use of PGP in preference to other methods of secure communication for the obvious reasons (availability, cost, etc.). Once the IT department signed off, I actually started sitting with my colleagues and walking them through the process of generating keys, integrating with outlook, etc. Then the fun part, I started sending people encrypted stuff. This often required another round of walking people through the process, but eventually it became sort of accepted, and generally (although sometimes grudgingly) acknowledged as a Good Idea. When I got my first unsolicited encrypted item in the mail, I knew I that progress was being made. :) It's probably worth noting that this was a technology-friendly workplace, and before I arrived there was already a culture of acceptance for things like encrypted chat, etc. But my point is, it's not all bad news out there. hope this helps, Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Please select what kind of key you want
Preamble -- Michael W. Lucas on page 73 in Chapter 4 of PGP GPG: Email for the Practical Paranoid, No Starch Press, (c) 2006, shows the following choices for Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Michael recommends choosing 5 which turns out to be a disadvantage that one might not discover until the first time that she/he attempts to encrypt something. AFAIK, other people can still encrypt for the user who has selected 5 above. And the user can decrypt whatever she/he receives. I do not recall Michael discussing the solution to the problems caused by selecting just (5) RSA (sign only), although, since his book is written for a beginner audience, I do think he should have addressed this problem. Nevertheless, I found his book still quite helpful. QUESTIONS - Especially because of my experience mentioned above, I tend to pay attention to the text that follows Please select what kind of key you want. The Windows' version that I used matches Michael's text: gpg --gen-key gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) From gpg --edit-keyIDaddkey, I also get (2) DSA (sign only) (4) Elgamal (encrypt only) (5) RSA (sign only) (6) RSA (encrypt only) -- where's (3) (3) ?? Why is there no (3) in the above two lists [gen-key list, addkey list]? Why are choices (4) Elgamal (encrypt only) and (6) RSA (encrypt only) not present in the gen-key list? Why is choices (1) DSA and Elgamal (default) not present in the addkey list? http://www.netbsd.org/developers/pgp.html == shows different choices for gpg --gen-key: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) ElGamal (sign and encrypt) (5) RSA (sign only) Exploring further Please select what kind of key you want via Google, I get the impression that there's potentially a standard that might read something like: position (1) should always be __; position (2) should always be __; position (3) should always be __; et cetera and for any position, you can offer nothing, sign only, encrypt only, or sign and encrypt together. Is that the case with regards to developer guidelines? Also, I'm guessing that although a developer might opt out of creating a key of type X, regardless, the developer must presumably support a complete set of encryption/decryption choices for the purpose of processing public and private keys properly. Is this the case? Thank you. Regards, Gerry (Lowry) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want
Michael W. Lucas on page 73 in Chapter 4 of PGP GPG: Email for the Practical Paranoid, No Starch Press, (c) 2006, shows the following choices for Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Michael recommends choosing 5 which turns out to be a disadvantage that one might not discover until the first time that she/he attempts to encrypt something. In 2006, Lucas's advice was pretty solid. In 2009, not so much. The introduction of DSA2 has resolved most -- if not all -- of the reasons that motivated him and others to suggest RSA. AFAIK, other people can still encrypt for the user who has selected 5 above. And the user can decrypt whatever she/he receives. Not with a sign-only key. A sign-only key is only usable for signing; other people cannot encrypt to a sign-only key. Why is there no (3) in the above two lists [gen-key list, addkey list]? Elgamal signing keys were #3, IIRC. They were removed years ago due to some catastrophic bugs and the community's near-total abjuration of Elgamal signing keys. (IIRC, the total number of Elgamal signing keys on the keyserver network was in the neighborhood of 10.) Why are choices (4) Elgamal (encrypt only) and (6) RSA (encrypt only) not present in the gen-key list? Because when you generate a new key you /must/ generate a signing key. #s 4 and 6 are encryption-only keys, which means they can only be added to an already-existing signing key. Why is choices (1) DSA and Elgamal (default) not present in the addkey list? Why should they be? If you want to add a new DSA signing key, you can do that. If you want to add a new Elgamal encryption key, you can do that. Where's the problem? Also, I'm guessing that although a developer might opt out of creating a key of type X, regardless, the developer must presumably support a complete set of encryption/decryption choices for the purpose of processing public and private keys properly. Is this the case? Nope. An OpenPGP implementation is not required to support most of those algorithms. You can have a perfectly well conforming OpenPGP implementation which only supports SHA-1, DSA, Elgamal and 3DES. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want
On Feb 22, 2009, at 6:54 PM, gerry_lowry (alliston ontario canada) wrote: Preamble -- Michael W. Lucas on page 73 in Chapter 4 of PGP GPG: Email for the Practical Paranoid, No Starch Press, (c) 2006, shows the following choices for Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Michael recommends choosing 5 which turns out to be a disadvantage that one might not discover until the first time that she/he attempts to encrypt something. He recommends a RSA signing key and later adding a subkey for encryption. This is only a problem if someone does part 1 (the signing key) of his recommendation and skips part 2 (the encryption subkey) AFAIK, other people can still encrypt for the user who has selected 5 above. And the user can decrypt whatever she/he receives. This is not correct. A sign only key means sign only. It has no encryption capability. That's why you need a subkey to handle the encryption. I do not recall Michael discussing the solution to the problems caused by selecting just (5) RSA (sign only), although, since his book is written for a beginner audience, I do think he should have addressed this problem. Nevertheless, I found his book still quite helpful. QUESTIONS - Especially because of my experience mentioned above, I tend to pay attention to the text that follows Please select what kind of key you want. The Windows' version that I used matches Michael's text: gpg --gen-key gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) From gpg --edit-keyIDaddkey, I also get (2) DSA (sign only) (4) Elgamal (encrypt only) (5) RSA (sign only) (6) RSA (encrypt only) -- where's (3) (3) ?? Why is there no (3) in the above two lists [gen-key list, addkey list]? (3) and (7) are special cases for advanced users. They do not show up in the menu unless the --expert flag is given. They let you create a key with any features that you want (for example, you could create a RSA key that can sign and encrypt with a single key and not need subkeys at all). This is for advanced use only. Why are choices (4) Elgamal (encrypt only) and (6) RSA (encrypt only) not present in the gen-key list? They are not meaningful there. gen-key creates a primary key, and as per the OpenPGP standard, a primary key must be able to issue certification signatures. An encrypt only key, by definition, cannot issue signatures. Why is choices (1) DSA and Elgamal (default) not present in the addkey list? Again, not meaningful there. addkey creates subkeys. DSA+Elgamal is not a subkey (it's a shortcut for specifying a DSA primary and an Elgamal subkey). http://www.netbsd.org/developers/pgp.html == shows different choices for gpg --gen-key: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) ElGamal (sign and encrypt) (5) RSA (sign only) Exploring further Please select what kind of key you want via Google, I get the impression that there's potentially a standard that might read something like: position (1) should always be __; position (2) should always be __; position (3) should always be __; et cetera and for any position, you can offer nothing, sign only, encrypt only, or sign and encrypt together. Is that the case with regards to developer guidelines? No. The numbers have changed in the past, and may well change in the future. Also, I'm guessing that although a developer might opt out of creating a key of type X, regardless, the developer must presumably support a complete set of encryption/decryption choices for the purpose of processing public and private keys properly. Is this the case? Not really. It is true that the developer can choose to not allow creating certain key types in their OpenPGP program. It is also true, though, that the developer can choose to not support an algorithm at all. The only algorithms that are required to be supported are DSA for signing, Elgamal for encryption, 3DES as a symmetric cipher, and SHA-1 as a hash. Strictly speaking, everything else is optional. Of course, most programs support a good chunk of the optional algorithms. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
