Re: how to signencrypt with gpg for pgp2

[Simon Josefsson <jas@extundo.com>]

Matthias Andree <ma@dt.e-technik.uni-dortmund.de> writes:

>> We should make the "separate" mode work correctly though.  This is
>> somewhat unfortunate though.  An alternative would be to state that we
>> cannot talk to PGP 2.x properly.
>
> "Replacing PGP 2.x with GnuPG" by Kyle Hasselbacher et al,
> <URL:http://www.gnupg.org/gph/en/pgp2x.html>, comes to our rescue:
> it documents a workaround (with minor errors in the first of the four
> stages). It's not trivial, but works.

OK, this convinced me.  Apparently pure GnuPG users can't talk to PGP
2.x anyway, so this only affect people that have imported their old
PGP 2.x into GnuPG but still want to talk to PGP 2.x users.  It
doesn't look like a broad audience, and they are probably competent
enough to either configure PGG to use PGP 2.x (which is supported), or
customize pgg-gpg-program to "gpg-2comp", or customize
mml-signencrypt-style-alist (although the output doesn't look right in
Gnus due to the recursive UU decoding problem, but that may be fixed
in the future), or add support for the two-pass mode in pgg-gpg.el, or
talk their PGP 2.x users into using GnuPG.

I have written down some things learned from this thread in the
Message manual, in the Security node.  The relevant section included
below, comments appreciated.  Thanks to everyone who provided
information.

(Of course, if someone disagree with this, I can be convinced
otherwise again. :-))

Using PGP/MIME
--------------

   PGP/MIME requires an external OpenPGP implementation, such as GNU
Privacy Guard (http://www.gnupg.org/).  Pre-OpenPGP implementations
such as PGP 2.x and PGP 5.x are also supported.  One Emacs interface to
the PGP implementations, PGG (see *note PGG: (pgg)Top.), is included, but
Mailcrypt and Florian Weimer's `gpg.el' are also supported.

   Note, if you are using the `gpg.el' you must make sure that the
directory specified by `gpg-temp-directory' have permissions 0700.

   Creating your own key is described in detail in the documentation of
your PGP implementation, so we refer to it.

   If you have imported your old PGP 2.x key into GnuPG, and want to
send signed and encrypted messages to your fellow PGP 2.x users, you'll
discover that the receiver cannot understand what you send. One
solution is to use PGP 2.x instead (i.e., if you use `pgg', set
`pgg-default-scheme' to `pgp').  If you do want to use GnuPG, you can
use a compatibility script called `gpg-2comp' available from
<http://muppet.faveve.uni-stuttgart.de/~gero/gpg-2comp/>.  You could
also convince your fellow PGP 2.x users to convert to GnuPG.  As a
final workaround, you can make the sign and encryption work in two
steps; separately sign, then encrypt a message.  If you would like to
change this behavior you can customize the
`mml-signencrypt-style-alist' variable.  For example:

     (setq mml-signencrypt-style-alist '(("smime" separate)
                                         ("pgp" separate)
                                         ("pgpauto" separate)
                                         ("pgpmime" separate)))

   This causes to sign and encrypt in two passes, thus generating a
message that can be understood by PGP version 2.

   (Refer to <http://www.gnupg.org/gph/en/pgp2x.html> for more
information about the problem.)