Migrate? That data is in my mail archive. While it would be possible for
me to write a program to scan the mail file for pgp blockes, check which
pgp version is used, decrypt the data, re-encrypt it with a modern gpg
version and replace that textblock, it would still lose information
about dates and signatures.
No, and that entire line of argument is disingenuous.
You use PGP 2.6 to decrypt/verify each message. You verify the
signature to whatever degree you feel is necessary, and write an
attestation: "On January 21 at 12:56am I successfully decrypted this
message with hash value X and verified the PGP 2.6 signature as
belonging to Y. I then re-encrypted it to myself, and that ciphertext
has hash value Z." Sign the attestation. You re-encrypt the plaintext
to your current OpenPGP certificate. You attach (via PGP/MIME) the PGP
2.6 ciphertext and your attestation.
Presto. You now have encrypted text you can use with GnuPG 2.3. If you
need to verify the document you can verify the signature on the
attestation. If the signature is good, clearly no one has tampered with
your declaration. To do a more rigorous verification you can check the
hash values of the ciphertexts. To do a most-rigorous verification you
can run PGP 2.6.3 on the original attachment.
We've known how to do this for at least a quarter-century, Johan.
25 years.
Twenty. Five. *Years*.
Now, it's true that hardly anyone does this, and there's not exactly
much demand for tools that do this. That is, I'm convinced, because in
the real world, there's nobody who needs to do this.
I repeat: if you really needed this functionality, you've had a
quarter-century to do something about it, a quarter-century where we've
known what to do about it. If you're not migrating, that's on you.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
