-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message Hi, David Shaw wrote a patch against GnuPG 1.2.3 to disable the ability to create signatures using the ElGamal sign+encrypt (type 20) keys as well as to remove the option to create such keys. This patch will go into the next release; if you feel better with those flawed features disabled, you may want to apply this patch. Thanks, Werner Index: getkey.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/getkey.c,v retrieving revision 1.78.2.20 diff -u -r1.78.2.20 getkey.c --- getkey.c 21 Jul 2003 14:55:00 -0000 1.78.2.20 +++ getkey.c 27 Nov 2003 00:32:30 -0000 @@ -1655,6 +1655,11 @@ if ( x ) /* mask it down to the actual allowed usage */ key_usage &= x; } + + /* Type 20 Elgamal keys are not usable. */ + if(pk->pubkey_algo==PUBKEY_ALGO_ELGAMAL) + key_usage=0; + pk->pubkey_usage = key_usage; if ( !key_expire_seen ) { @@ -1869,6 +1874,13 @@ if ( x ) /* mask it down to the actual allowed usage */ key_usage &= x; } + + /* Type 20 Elgamal subkeys or any subkey on a type 20 primary are + not usable. */ + if(mainpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL + || subpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL) + key_usage=0; + subpk->pubkey_usage = key_usage; p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL); Index: keygen.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/keygen.c,v retrieving revision 1.90.2.11 diff -u -r1.90.2.11 keygen.c --- keygen.c 16 Jul 2003 03:09:15 -0000 1.90.2.11 +++ keygen.c 27 Nov 2003 00:32:31 -0000 @@ -958,8 +958,6 @@ tty_printf( _(" (%d) DSA (sign only)\n"), 2 ); if( addmode ) tty_printf( _(" (%d) ElGamal (encrypt only)\n"), 3 ); - if (opt.expert) - tty_printf( _(" (%d) ElGamal (sign and encrypt)\n"), 4 ); tty_printf( _(" (%d) RSA (sign only)\n"), 5 ); if (addmode) tty_printf( _(" (%d) RSA (encrypt only)\n"), 6 ); @@ -989,21 +987,6 @@ algo = PUBKEY_ALGO_RSA; *r_usage = PUBKEY_USAGE_SIG; break; - } - else if( algo == 4 && opt.expert) - { - tty_printf(_( -"The use of this algorithm is only supported by GnuPG. You will not be\n" -"able to use this key to communicate with PGP users. This algorithm is also\n" -"very slow, and may not be as secure as the other choices.\n")); - - if( cpr_get_answer_is_yes("keygen.algo.elg_se", - _("Create anyway? "))) - { - algo = PUBKEY_ALGO_ELGAMAL; - *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG; - break; - } } else if( algo == 3 && addmode ) { algo = PUBKEY_ALGO_ELGAMAL_E; -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/xa20aLeriVdUjc0RAvXcAKCIxQR0JbaxfX/EFpI4NLcb4vUI2ACZAQTx zfX4QUrn7HnluPP4Pfoofdk= =OtPO -----END PGP SIGNATURE-----