Rare condition incompatibility of public key

Robert J. Hansen rjh at sixdemonbag.org
Mon Dec 1 05:40:25 CET 2008


Myckel Habets wrote:
> The person who said to me that the key validates as bad uses the PGPkeys
> program from the PGP corporation software (version 6.58, last version
> that was released when Phil Zimmerman worked there, he doesn't trust
> later versions) to do the validation.

This is factually untrue.

Phil Z. left PGP Security, a branch of Network Associates, in early
2001.  This would've been just after the PGP 7.1 release.  Phil himself
has sworn to the solidness of the PGP 7.0 and 7.1 releases.  Despite
there being no source release, most people -- myself included --
consider Phil's word to be good.

Network Associates shut down PGP Security in early 2001.  PGP
Corporation was formed as a completely separate business entity which
purchased the desktop PGP products from Network Associates.  Most of the
key players from PGP Security came on board at the new PGP Corporation.

Phil Z. has officially left PGP Corporation to pursue other interests,
if memory serves.  This doesn't surprise me in the least.  After a
decade and a half at the same job, he's entitled to do other things.  As
of late, secure internet telephony has been his object of interest.
That said, Phil is still in close contact with many of the principal
people at PGP Corporation.

> 1) What is causing this problem? Is my key really bad or is this an
> incompatibility between PGPkeys version 6.58 and GPG?

Toyota has a philosophy that when investigating failures, one should ask
"why?" multiple times.

Q.  Why is this failure occurring?
A.  Your friend is using an antique version of PGP.

Q.  Why is your friend using an antique version of PGP?
A.  Your friend doesn't trust versions Phil hasn't worked on.

Q.  Why does your friend mistakenly think Phil hasn't worked on
    7.0 and later versions?
A.  ... I don't know.  You may want to look into this.


As far as engineering maxims go, the Toyota school of thought is pretty
good.  Find the deepest level of failure and fix that, rather than
fixing superficial problems.

Other people have suggested convincing your friend to use a more recent
version of PGP, or a recent version of GnuPG.  It's good advice, as far
as it goes.  I think the problem goes deeper than that, however.





More information about the Gnupg-users mailing list