PGP 5.0 DIGITAL SIGNATURE REQUEST

Discussion:

(too old to reply)

JamesTracy95820

2009-03-23 04:38:03 UTC

HI FOLKS:

I'm running PGP version 5.0 for windows. I've been using it for years
and just love it. I've managed to get many of my friends and family
in line with it as well.

My request: I'd like to get at least 10 people that would send me a
digital signature of it just to make absolutely sure I have a valid
copy of it.

I just need you to digitally sign, using a detached signature, the EXE
installation file and send that and your public key to me.

I can then run your digital signature against my copy of the install
file and insure it's not been tampered with.

My email address is:

***@gmail.com

Any help MOST appreciated.

I'll post the results here as well.

As I mentioned, I'm going for around 10 from random people.

Those back-doors....you never can be TOO careful!

Thanks!

Neil W Rickert

2009-03-23 11:29:10 UTC

Permalink

Post by JamesTracy95820
I'm running PGP version 5.0 for windows. I've been using it for years
and just love it. I've managed to get many of my friends and family
in line with it as well.

Is that Windows 3.1?

If you are running Windows 95 or later, I'm wondering why you
would still be using PGP 5. If youi are running Win2k or later,
I suggest you go with either PGP 9.x, or GnuPG (look for the
"gpg4win" package). As a gmail user, you might benefit from using
GnuPG together with the "FireGPG" extension to firefox.

Post by JamesTracy95820
My request: I'd like to get at least 10 people that would send me a
digital signature of it just to make absolutely sure I have a valid
copy of it.

Lots of luck. I seem to remember that I once had a copy of PGP 5
for windows. But I replaced it with PGP 6.5.x long ago. You will
be lucky to find 10 people who actually have a copy of PGP 5.

My memory is a bit hazy. But I seem to remember that PGP 5 came in a
zip file. When you unzipped the file, it contained an installer and
a PGP signature. That PGP signature was by an employee of pgp.com,
and checking that should have been sufficient. The signers key
had itself been signed by Phil Zimmerman.

I'm not seeing any benefit to the 10 signatures that you are seeking.

JamesTracy95820

2009-03-23 11:44:48 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm running PGP version 5.0 for windows. I've been using it for years
and just love it. I've managed to get many of my friends and family
in line with it as well.

Is that Windows 3.1?
If you are running Windows 95 or later, I'm wondering why you
would still be using PGP 5. If youi are running Win2k or later,
I suggest you go with either PGP 9.x, or GnuPG (look for the
"gpg4win" package). As a gmail user, you might benefit from using
GnuPG together with the "FireGPG" extension to firefox.

My request: I'd like to get at least 10 people that would send me a
digital signature of it just to make absolutely sure I have a valid
copy of it.

Lots of luck. I seem to remember that I once had a copy of PGP 5
for windows. But I replaced it with PGP 6.5.x long ago. You will
be lucky to find 10 people who actually have a copy of PGP 5.
My memory is a bit hazy. But I seem to remember that PGP 5 came in a
zip file. When you unzipped the file, it contained an installer and
a PGP signature. That PGP signature was by an employee of pgp.com,
and checking that should have been sufficient. The signers key
had itself been signed by Phil Zimmerman.
I'm not seeing any benefit to the 10 signatures that you are seeking.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAknHcoMACgkQvmGe70vHPUPAHACcCCyB/FwZIwdTD+wZqY7cfOBH
w08AmwVU67U9sLoh/wE9qG9oKkgQjjeP
=5cpQ
-----END PGP SIGNATURE-----

Thanks for your reply!

Yeah - I'm definitely behind the times. My problem is that I've
worked hard to get friends and family in line with PGP over the years,
and changing to a new version would be hard to do. It was super hard
just convincing people to use PGP in the first place. I suspect you
know exactly what I mean. I'd switch in a heartbeat if it wasn't for
everybody else.

I've had my copy of PGP 5.0 for windows for years and use it almost on
a daily basis on an XP-PRO machine. It works perfectly, although
someone else made a vague comment about lots of bugs - but I've
researched the bugs, and they don't pertain to me, and the one that
does I'm working to correct.

If you know of a list of bugs for this version, I'd be interested in
reviewing it. If there are any large security flaws, I would HAVE to
switch. Otherwise, this version has performed without a single glitch
over the years. And the people that I've convinced are happy with it
as well.

That signature file that came with my version was lost long, long ago
unfortunately.

I've found one random stranger that I'm in the process of getting a
digital signature from, so that'll be one down. At first, 10 seemed
like a good number - but I suspect that to get all ten will take
months - but that's OK. I'm very patient.

Here's my digital signature, along with a screen shot of my hash
program, for what it's worth.

http://www.JamesEdwardTracy.com/STUFF/2009-03/PGP-50-SIGNATURE.zip

http://www.JamesEdwardTracy.com/STUFF/2009-03/PGP-50-SIGNATURE.zip.sig

If anyone out there has a copy of the installation file, just run my
digital signature against it and see what happens.

Anyway, given what I've explained, what do you think about me keeping
5.0? Am I good to go, or are there things about it that I should
scrap it??

Thanks for your help...

...jimbo

Neil W Rickert

2009-03-24 03:06:53 UTC

Permalink

Post by JamesTracy95820
If you know of a list of bugs for this version, I'd be interested in
reviewing it.

I don't have the list. However, my best recollection is that
the worst bug is in poor use of "/dev/random" in unix, possibly
resulting in predictable keys. I don't think that applies to the
windows version, though I'm not sure.

A more serious problem that you will eventually run into, is that
many people are using newer keys that are not properly recognized
by PGP 5. The key used by USCERT
https://www.us-cert.gov/pgp/info.asc
will likely cause problems for you.

David E. Ross

2009-03-24 05:14:32 UTC

Permalink

Post by Neil W Rickert

Post by JamesTracy95820
If you know of a list of bugs for this version, I'd be interested in
reviewing it.

I don't have the list. However, my best recollection is that
the worst bug is in poor use of "/dev/random" in unix, possibly
resulting in predictable keys. I don't think that applies to the
windows version, though I'm not sure.
A more serious problem that you will eventually run into, is that
many people are using newer keys that are not properly recognized
by PGP 5. The key used by USCERT
https://www.us-cert.gov/pgp/info.asc
will likely cause problems for you.

The US-CERT keys are RSA v.4. PGP 5.0 supports RSA v.3 but not v.4.

--
David E. Ross
<http://www.rossde.com/>.

Don't ask "Why is there road rage?" Instead, ask
"Why NOT Road Rage?" or "Why Is There No Such
Thing as Fast Enough?"
<http://www.rossde.com/roadrage.html>

JamesTracy95820

2009-03-23 11:31:29 UTC

Permalink

I'm running PGP version 5.0 for windows. I've been using it for years
and just love it. I've managed to get many of my friends and family
in line with it as well.
My request: I'd like to get at least 10 people that would send me a
digital signature of it just to make absolutely sure I have a valid
copy of it.
I just need you to digitally sign, using a detached signature, the EXE
installation file and send that and your public key to me.
I can then run your digital signature against my copy of the install
file and insure it's not been tampered with.
Any help MOST appreciated.
I'll post the results here as well.
As I mentioned, I'm going for around 10 from random people.
Those back-doors....you never can be TOO careful!
Thanks!

Here is my digital signature of PGP 5.0 for windows:

http://www.JamesEdwardTracy.com/STUFF/2009-03/PGP-50-SIGNATURE.zip

http://www.JamesEdwardTracy.com/STUFF/2009-03/PGP-50-SIGNATURE.zip.sig

THANKS!

...jimbo