RFC2440

[ Contents ]

14. Implementation Nits

   This section is a collection of comments to help an implementer,
   particularly with an eye to backward compatibility. Previous
   implementations of PGP are not OpenPGP-compliant. Often the
   differences are small, but small differences are frequently more
   vexing than large differences. Thus, this list of potential problems
   and gotchas for a developer who is trying to be backward-compatible.

     * PGP 5.x does not accept V4 signatures for anything other than
       key material.

     * PGP 5.x does not recognize the "five-octet" lengths in new-format
       headers or in signature subpacket lengths.

     * PGP 5.0 rejects an encrypted session key if the keylength differs
       from the S2K symmetric algorithm. This is a bug in its validation
       function.

     * PGP 5.0 does not handle multiple one-pass signature headers and
       trailers. Signing one will compress the one-pass signed literal
       and prefix a V3 signature instead of doing a nested one-pass
       signature.

     * When exporting a private key, PGP 2.x generates the header "BEGIN
       PGP SECRET KEY BLOCK" instead of "BEGIN PGP PRIVATE KEY BLOCK".
       All previous versions ignore the implied data type, and look
       directly at the packet data type.

     * In a clear-signed signature, PGP 5.0 will figure out the correct
       hash algorithm if there is no "Hash:" header, but it will reject
       a mismatch between the header and the actual algorithm used. The
       "standard" (i.e. Zimmermann/Finney/et al.) version of PGP 2.x
       rejects the "Hash:" header and assumes MD5. There are a number of
       enhanced variants of PGP 2.6.x that have been modified for SHA-1
       signatures.

     * PGP 5.0 can read an RSA key in V4 format, but can only recognize
       it with a V3 keyid, and can properly use only a V3 format RSA
       key.

     * Neither PGP 5.x nor PGP 6.0 recognize Elgamal Encrypt and Sign
       keys. They only handle Elgamal Encrypt-only keys.

     * There are many ways possible for two keys to have the same key
       material, but different fingerprints (and thus key ids). Perhaps
       the most interesting is an RSA key that has been "upgraded" to V4
       format, but since a V4 fingerprint is constructed by hashing the
       key creation time along with other things, two V4 keys created at
       different times, yet with the same key material will have
       different fingerprints.

     * If an implementation is using zlib to interoperate with PGP 2.x,
       then the "windowBits" parameter should be set to -13.

HTML conversion and comments on this are RFC are Copyright (c) 1998 Werner Koch, Remscheider Str. 22, 40215 Düsseldorf, Germany. Verbatim copying and distribution is permitted in any medium, provided this notice is preserved. See here for copyright information on the RFC itself.

Updated: 1999-09-30 wkoch