gpg: Disallow the use of v3 keys.disallow-v3-keys

* g10/gpg.c: Add options --allow-v3-keys and --no-allow-v3-keys.
(main): Enable --allow-v3-keys in --pgp2 mode.
* g10/options.h (opt): Add field allow_v3_keys.
* g10/import.c (delete_v3_subkeys): New.
(import_one): Skip v3 keys and delete v3 subkeys.
(import_print_stats): Print stats on v3 keys and subkeys.
* g10/getkey.c (finish_lookup): Skip v3 keys.
--

This is a first take on disabling v3 keys.  We may need to add some
tweaks to make decryption using an existing v3 key easier.  There is
no need to disallow decryption.

Thanks to Georgi Guninski to put some pressure on us to finally do
what PGP 2 folks will probably don’t like.  See the discussion on
gnupg-devel starting 2012-06-22.

1 files changed, 14 insertions, 0 deletions

diff --git a/doc/gpg.texi b/doc/gpg.texi
index 420326b5d..d8e4bcdef 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -2637,6 +2637,20 @@ Disable all checks on the form of the user ID while generating a new
 one. This option should only be used in very special environments as
 it does not ensure the de-facto standard format of user IDs.
 
+@ifset gpgtwoone
+@item --allow-v3-keys
+@itemx --no-allow-v3-keys
+@opindex allow-v3-keys
+Allow the use of deprecated v3 keys with @command{gpg}.  The default
+is not to allow their use.
+
+Since version 2.1 GnuPG does not anymore allow the import or use of v3
+keys.  Those keys have been generated in the past by PGP 2 and exhibit
+a couple of flaws.  For example they rely on the broken MD5 algorithm.
+OpenPGP has long deprecated their use (cf. RFC-4880, section 5.5.2).
+This option may be used to exceptionally allow their use.
+@end ifset
+
 @item --ignore-time-conflict
 @opindex ignore-time-conflict
 GnuPG normally checks that the timestamps associated with keys and