GNU Privacy Guard (GPG) PGP Alternative

Scrub writes " The GNU Privacy Guard (GPG) 1.0.0. has been released. GPG is intended to be a free replacement for PGP. The good thing about it is, that it doesn't make any use of patended algorithms and that its development was outside the US. US crypto-laws just dont apply here, what a pity!"

(GPG,PGP) How often do you change your underwear?

[Speare]

When I considered my first domain name, I kinda thought I'd use it forever. (I didn't.)
When I considered my first public key, I kinda thought I'd use it forever.
Reading about the GPG replacement for PGP, my first thoughts were

1. why in the heck would I relinquish or muddy my established identity contained within my existing uncompromised PGP public key and signature?
2. since stock PGP wouldn't handle GPG keys and methods, who could send me secure messages?
3. if I can't get around (1) and (2), why bother with GPG?
4. if GPG is OpenPGP, does that mean my rsa-patent-encumbered PGP5.5.5 or 6+ will be able to send to all those people who do make GPG keys?

Just to dispel a few honest mistakes people made..

Firstly, it is *NOT* illegal for a U.S. citizen to have hard encryption (in this case, >56 bits) on his laptop when taken abroad. Export rules *specifically* exempt this, because otherwise anyone travelling abroad with a laptop full of crypto (for which there are countless valid business uses which the gov't wants to sponsor, to secure U.S. corporate secrets) would be forced to apply for an export permit. So, you can have crypto on your laptop when going abroad, you just cannot distribute it abroad and must only use it yourself. No problem there. Now, as for the guy who questioned cipher strength: 3DES is arguably stronger than 128-bit Blowfish, CAST, or any other such comparable algorithms. I say "arguably" because all are secure from all currently known attacks. See, 3DES uses a combination of 3 56-bit DES encryptions with 3 different keys to produce a 168-bit encrypted ciphertext. Now, because of some mathematical vagaries I won't bore you with, the actual strength of the encryption hovers between 112 and 128 bits, but is in any event as secure as any other strong algorithm with 128 bits or so of key material. So no, it is neither weak nor a poor choice for symmetric encryption, but that's beside the point--something like GPG is primarily used for asymmetric crypto, and you should use different programs each for their forte. Personally, for symmetric crypto, I'd like to see someone port freeware Scramdisk to Linux. Scramdisk is a well-regarded open-source Win9x application developed by denizens of sci.crypt and offers 9 algorithms ranging to 256-bit Blowfish which can be used for encrypting "virtual filesystems" or whole partitions. I don't know of anything comparable for Linux yet...

Migrating from PGP to GPG

[ksheff]

Check out the Moving from PGP to GPG guide. It will show you how to move pgp5 keys to gpg for exchanging encrypted messages with people using pgp5.