On Tue, Sep 30, 2003 at 07:41:35PM +0200, Julien Gabel wrote:

> Right: OpenPGP is a standard (derived from the first implementation of PGP
> software). Today, the most well-known implementation of the OpenPGP standard
> is PGP and GPG (in particular under a lot of the Unix-like variant).

It is derived from version 2.x of PGP, not
version 1.x

PGP is not, for most of its versions, not OpenPGP
(RFC 1991) compliant, while GnuPG is. For example,
OpenPGP requires implementations to produce v4
signatures but versions 5 and higher of PGP force
v3 signatures in violation of the RFC.

But it is true that recently GnuPG introduced a change
in the way it protects the secret key(s) to protect
those against attacks when the secret keyring has been
stolen or copied by an attacker, which is an enhancement
that puts GnuPG out of strict OpenPGP RFC compliance.
So the previous remark has to be somewhat moderated ;)

GnuPG offers strict OpenPGP RFC compliance (--openpgp)
which is based on PGP 2.x (use of RSA keys, v3 signatures,
and restricts you to using OpenPGP hash and enciphering
algorithms + enciphering to RSA keys only).

PGP 2 require you to use RSA key as destination (while
GnuPG and most recent PGP offer El Gamal, combined to
DSA separated so you can change cipher keys while keeping
the same key as long you keep the DSA part). PGP 2 can't
handle MDC, v4 cert

PGP 6 uses a patented (not everywhere though) IDEA
and GnuPG can't use it per default which is quite
bad when excellent and free algorithms like Blowfish
are available...

Recent PGP versions (8) are much closer to OpenPGP
and they are far better to use if you got GnuPG-based
people around you while you want to use PGP. The
more recent the version, the more enciphering algorithms
you'll benefit from (like Blowfish, Twofish that followed
it, still from Schneier and wider SHA versions).

So if you want a good interoperability, it's wiser
to use either GnuPG or 8+ of PGP (they handle v4 RFC
compliant v4 signatures but also MDC which is mostly
used with newer ciphers and when block size is 64 bits
or more, but talking of this would be out of context
for this discussion :)

If I had to choose between PGP 2.x and more recent PGP
versions (with exception of versions 8+) I would stick
to PGP 2.x but since GnuPG has been introduced and
developed, why bother with PGP ?

Philipp (Zimmerman) should have joined the GnuPG effort
rather than keeping with PGP which only introduced
complexity and problems of interoperability (said
otherwise, plenty bells and whistles) and what should
we think of PGP attempt to close once and for all the
sources ? At least Philipp fighted it.

-- 
Gilbert Fernandes