Here are a few suggestions for improvements and bug reports for PGP.

A) Suggestions for improvements

1. PGP shouldn't make a copy (.bak) of the keyring, unless it is
certain that some modifications will be applied on it. For instance,
the copy should be made not directly after a positive reply to the
question whether I want to add new keys to the keyring, but only after
it is determined that there are new keys and the user has answered
positively to the question whether the first of them has to be added to
the keyring.

2. Add the capability to issue signature revokation certificates. A
signature revokation certificate should be issuable only by the person
who has issued the signature and should be valid only for a particular
key - the one that has been signed.

3. Add the capability to issue userID revokation certificates.

4. If a key revokation certificate is added to a keyring, on the next
"pgp -kc" command, PGP should remove all signatures to other keys, if
those signatures have been generated by the revoked key.

5. It should be possible to extract a whole "web of trust" tree of
keys from a particular keyring. That is, there should be a way to
extract a particular public key, the public keys of all persons who
have signed this public key, the public keys of the people who have
signed their public keys and so on.

6. During encryption ("pgp -e") it should be possible to specify a
different public keyring from the command line (with a commant-line
option) - just as it is possible to do that during the key management
commands ("pgp -k").

7.  Modify the signal() syscalls so that if they are ignored on entry,
pgp leaves them ignored.  This allows pgp to run as a background
process under Unix without being interrupted if someone hits DEL from
the foreground.  Here is how you do this; in file pgp.c:

970a971,973
> #ifdef UNIX
>	if(signal(SIGINT, SIG_IGN) != SIG_IGN)
> #endif /* UNIX */
973,974c976,979
<	signal(SIGHUP,breakHandler);
<	signal(SIGQUIT,breakHandler);
---
>	if(signal(SIGHUP, SIG_IGN) != SIG_IGN)
>		signal(SIGHUP,breakHandler);
>	if(signal(SIGQUIT, SIG_IGN) != SIG_IGN)
>		signal(SIGQUIT,breakHandler);

8. It should be possible to enter more than one recepient when PGP
asks interactively for recepient of the message.

9. Implement an "alias" feature. For instance, a file, called
ALIASES.PGP could contain definition of aliases and lists of userIDs
(or keyIDs) the alias replaces. For instance, if we have

mygroup=Joe User, smith*, 0x123456

then a command

	pgp -seat message.txt mygroup

should be equivalent to the command

	pgp -seat message.txt "joe user" smith 0x123456

10. Distribute the available language modules (ALL of them that are
mentioned in the documentation; not only the Spanish and French
modules) in a separate archive (i.e., one different archive for
sources, executables, documentation, language modules).

11.  When using -kv, the "<n> key(s) examined" phrase is misleading -
*all* the keys are examined, but only <n> key(s) have been found which
match. The message must be changed to "<x> key(s) examined, <y>
matching keys found".

12.  When checking a detached signature, the phrase `Please enter
filename of text that signature applies to:' is also badly worded as
detached signatures are often used with executables or archives (PGP
itself is a case in point).  I suggest that `of text' be removed.

13.  Given that user IDs cannot be modified, only added or deleted
(and rightly so), then "Do you want to change your user ID (y/N)?"
should be "Do you want to add a new user ID (y/N)".

14. It should be possible to conceal the fact that some message is
PGP-encrypted. There should be an option, which causes the output to
be without the standard headers.  If an attempt is made to decrypt the
message with the wrong key, it should decrypt to garbage.

15. When PGP is unable to decrypt the message, using the available
secret keys, it must just say so and not display the userID of the
user that will be able to decrypt the message.

16. If EncryptToSelf is set to ON, PGP should use the userID of the
first available key in the secret keyring, unless the MyName variable
is set.

17. Add the optional ability to use triple-DES for secret-key
encryption (instead of IDEA). Even better, re-design the packet format
to allow other secret-key ciphers to be used - both for conventional
encryption and for secret-key encryption of the public-key encrypted
messages. The latter is possible now, but is not documented. The former
is not possible, due to a bad design of the Conventionally Encrypted
Data Packet record. We need a new CTB, indicating CEDPs encrypted with
algorithms other than IDEA.

18. There should be a possibility to use uuencoding as an alternative
binary-to-ASCII encoding.

19. Update the programs in the contrib directory - many of them have newer
versions.

20. Add the ability to extract/delete/sign/etc. more than one key at once
in batch mode.

21. Add the ability to specify the input, output file and the public and
secret keyrings from the command line.

22. Add the ability to list the keys in the public keyring sorted by some
field(s) - user ID, key ID, size, date.

23. Include an IDEA assembler implementation for the MS-DOS version.

24. When wiping a file, don't use 0 or any other constant - use random
numbers, in order to solve the security problem with compressed disks.

25. Add a self-test of the random number generator, so that it can
detect if the compiler has broken it.

26. Make the built-in text viewer able to scroll back by a line and a page.

27. When the owner of a key adds a new userID to the key, PGP should
automatically sign the new userID with the owner's private key.

28. When generating prime numbers, PGP should use a combination of
Miller-Rabin and Lucas tests for primality, instead of Fermat's.
Contact Paul Leyland <pcl@oxford.ac.uk> for more information.

29. When PGP adds a new userID to a key, the new block should appear
at the end of the existing blocks, not in front of them, as it is now.

30. There should be a way for PGP to check the signature of a signed
message and return an errorlevel, indicating whether the signature is
good or not - without creating an copy of the message with the
signature stripped.

31. There should be a way to convert an encrypted and signed message
to a clearsigned form.

32. The trust levels of the public keys should be kept separately (in
a separate file) from the public keyring.

33.  Print all diagnostic, prompts, status and copyright messages to 
stderr, NOT to stdout.

34.  Allow "message scanning" in which case PGP just looks over a
messages and reports on the contents, but does nothing with them.

35. In conventional encryption mode, a random, full-space, session key
should be generated, this key should be encrypted with the passphrase,
and stored with the encrypted message.

36. Add the following tags to the makefile:

next-intel:
	$(MAKE) all OBJS_EXT=_80386.o \
	CFLAGS="-O -DNEXT -DUNIX -DMACH -DNOTERMIO"

nextHP:
	$(MAKE) all \
	CFLAGS="$(RSAINCDIR) -O -arch hppa -DNEXT -DUNIX -DMACH -DPORTABLE \
	-DNOTERMIO -DHIGHFIRST"

37.  The fact that pgp uses temp files should be documented in the
section on the 'wipe' option - if you care about wiping your text you
should know about the temp files too (maybe you want to wipe more than
once).	Also, PGP should wipe its temp files by default.  PGP should
be easy for non-programmers to use safely, just deleting the temp
files gives them a false sense of security.

38.  By default pgp stores the pass phrase in memory for as long as it
can, there should be an option to wipe the pass phrase from memory as
soon as possible (ie before it prints the message "Pass phrase is
good").  If pgp version 3 suceeds in its aims and a port is made to
Windows 3.1 there will be hundreds of windows swap files containing
people's pass-phrases, from there you only need 'undelete' and
'strings'; a similar problem exists under Unix with core-dumps.

39.  Provide an option to stop using temp files.  IDEA is a block
cipher, so we can easily do encryption/decryption in memory buffers -

	while (! EOF) {
		read (BLOCK1);
		BLOCK2 = idea_encrypt (BLOCK1);
		wipe (BLOCK1);
		write (BLOCK2);
	}

40. Add a tag in the makefile for Solaris. An example is

solaris2:
	$(MAKE) all CC=cc LD=cc \
	CFLAGS="-O -DPORTABLE -DSVR4 -DSYSV -DUNIX -DHIGHFIRST -DIDEA32"

solaris2gcc:
	$(MAKE) all CC=gcc LD=gcc \
	CFLAGS="-O -DPORTABLE -DSVR4 -DSYSV -DUNIX -DHIGHFIRST -DIDEA32"

but even better would be to change the names of the functions in the
assembly language files, so that they link properly under Solaris.

41.  Imediately after generating a key pair, have PGP ask if you would
like to generate a revocation certificate in a file for later use.
Also add a feature that would alert the user that he/she is about to
revoke his/her public key if they accidentally run the certificate
through PGP.

42. It should be possible to easily generate a key revokation
certificate without automatically revoking your key. This is necessary
for those people who think that they could forget their passphrase -
so that they can generate a key revokation certificate and store it in
a safe place. Currently this procedure automatically revokes their
public key and they must restore their public and secret keyrings from
backups.

43. Add the capability to clearsign 8-bit text. This is necessary for
some texts written in non-English languages.

44. Add a flag to the generated public keys, which should have the
meaning "don't archive". The keyservers will then be able to check the
presence of this flag and automatically reject keys that have it set.
This is useful for people who don't want their public keys to end on a
keyserver without their explicit permission.

45. It should be possible to specify the path of the file RANDSEED.BIN
from the command line. This will allow to keep the keyrings and the PGP
executable on a write-protected floppy.

46. Sadly, PGP does not compile out-of-the-box on DJGPP 1.11 (it did on
DJGPP 1.10, but that didn't work in windoze). The problem is a name 
collision between a window() function in the libpc.a library, and the 
window[] (or *window) used by the zinflate/zdeflate routines. Since the 
compression would clobber 64K at the wrong "window", you had spectacular 
crashes every time you tried to compress anything ;). It can be solved 
by renaming all instances of "window" into "slide" in the z*.c and 
match.s sources.

47. It is possible to intentionally generate a key, the keyID of which
clashes with the keyID of an existing key. PGP should be seriously
rewritten, to become resistent to this attack. For instance, it could
use the last 64 bits of the MD5 hash of the public modulus as a keyID.

--->48. There should be a way to easily sign any particular userID of a key
that has several userIDs.<--- already implemented

49. When decrypting a file, PGP should restore the time/date of last
modification of the original that has been encrypted.

50. The public keyring management needs a major rewrite to speed it up.
PGP should use agrep's algorithms for fast string matching with errors,
allow multiple public keyrings, with cacheing of the most used keys, and
so on.

51. Allow thrid-party plug-in algorithms for the secret-key cypher,
the public-key cypher, the message digest function, the armouring,
and the compression.

52. Add the (optional) capability to use strong primes when generating
keys.

53. Allow the user to enter the IDEA key manually.

54. Implement the MD5Sum functionality in PGP, so that PGP can be
used to compute MD5 hashes of files.

55. Put all the essential PGP functions in a library, so that other
programs can use them too. See PGPTools for some ideas how it could
be done.

56. When prompting you to sign a key, PGP should also display the
fingerprint of this key.

57. Add support (i.e., ability to generate, work with, the appropriate
messages and wornings, etc.) public keys with an expiration date.

58. Implement the capability to keep the userIDs/keyIDs of the keys
in the secret keyring in encrypted form, so that it is not possible
to figure out (without the passphrase) whose keys those are.

59. Add the capability to regenerate a lost public key from the secret
key.

60. Display the date when a key signature has been issued when a verbose
listing is produced (-kvv), not only when a keyring check (-kc) is done.

61. In genprime.c, change putchar('+'); to putchar('x');, in order to
avoid confusing modems in a dial-in session.

62. Implement the ability of the signators of a key to generate some kind
of revokation certificate for it - in case that the owner of the key has
lost the passphrase or the corresponding secret key.

63. Implement the capability to turn off the flag that says than an
untrusted key has been approved for usage.

64. If one of the arguments on the command line begins with a special
character (e.g., '@'), the rest of it should be treated as a name of
a file from which the rest of the command line should be read. This is
necessary for environments that have limit on the length of the command
line (e.g., MS-DOS) - this limit prevents the user from encrypting to a
large list of recepients.

65. Filter out the ANSI key reprogramming sequences when displaying
userIDs and other stuff, in order to prvent ANSI bombs.

66. The name of the original file should be extractable (with the -p
option) from the clearsigned messages.

67. Include the Amiga-specific improvements by Peter Simons 
(simons@peti.GUN.de), between appropriate #ifdefs:

 - fixed a bug in PGP's filehandling: It tried to move files using
   rename(), what failed if the target was on another device. Now, the
   routine checks if the rename succeeded and copies the file otherwise.

 - modified PGP to recognize local (SET vs. SETENV) shell variables, too.
   (Only available under OS 2.04 or later!)

 - the configfile has been renamed from "config.txt" to "pgp.config"

 - modified filename manipulating functions to handle "T:" as temporary
   file directory

 - PGP requires only 8k stack or less. If the default stack of the shell is
   too small, PGP allocates a new stack.

 - Added additional infos about the port, displayed at startup

 - the executable is now pure and may be made resident

 - reformatted the english help-file. (Thanks to Mark Constable
   <markc@wnet.edex.edu.au> for the effort!!)

 - modified the md5sum utility to work on the Amiga. The sources,
   executable and manual can be found in the "contrib/" directory.

 - corrected CTRL-C Handling

 - fixed a bug in more.c, sometimes causing a division through zero
   exception

 - removed UNIX signal-stuff (is handled by SAS/C automatically)

 - removed the 'is-helpfile-binary?' check, because it didn't make
   much sense IMHO and caused problems with my C compiler


B) Bug reports

1. I have separate keyring, containing the public keys of a particular
group of people I correspond with. All the keys in this keyring are
certified by me. I want to add a new key to this keyring. This key is
already certified by me. When I execute the command

	pgp -ka newkey.asc newring.pgp

PGP still asks me whether I want to certify some keys, regardless that
all keys are already certified by me. When I respond positively, it
lists the new key, says that there is a "questionable signature" by me
and offers me to certify it. If I agree, it says that it is already
certified.

2. The file 3B1_68000.s needs to be renamed 3B1_68010.s to match the
makefile. In fact, it is even better to rename it to 3b168000.s (and
to introduce the appropriate changes in the makefile).

3. The program md5sum (from the contrib directory) needs a makefile,
to indicate which files have to be used from the src directory.

4. The file pgp2x.md5 needs to be updated to take care of the modified
files in the directory src.

5. The program md5sum should work correctly, regardless whether the
files in the directory src are in MS-DOS or Unix format.

6.  In the makefile, change add "-DMAX_NAMELEN=14" to the CFLAGS line
in the 3b1_asm area.  This is required to compile fileio.c.

7. Edit random.c and comment out the "#include <sys/time.h>" line.

8. In sign-only mode ("pgp -sa message") PGP doesn't compress the
message. This should be fixed.

9. The documentation files in the archives PGP2x.ZIP and PGP2xSRC.ZIP
have slightly different contents and even different names
(extensions). This should be fixed.

10. If a file is encrypted "for your eyes only" (pgp -em), then it can
still be saved (involuntarily) on the disk, if PGP is used as a
filter:

	pgp -f < message.asc > message.txt

The correct behaviour should be:

	IF (NOT isatty (stdin) OR batchmode == ON) AND
	   the message is "for-your-eyes-only"
	THEN PGP should print an error message to stderr and exit.

11. The conventional encryption mode (-c) doesn't use a random IV - it
always uses one and the same one.

12. When PGP decrypts a file which resides on a different drive, it
creates a temporary file which contains the *decrypted* contents of
the file on that drive. Such files should be created *only* in the TMP
directory.

13. If you try to sign a message and your secret keyring is not in the
directory listed in the PGPPATH variable, PGP will first complain about 
the missing private (Secure) keyring, but will the ask for the filename 
of the PUBLIC(!) keyring.

14. The makefile entry for HP/UX should not include the file getopt.c,
because HP/UX already has this function in its libraries. Here is how to
fix it:

% diff makefile.unx Makefile
250,252c250,251
<       CFLAGS="-Aa +O3 +Obb5000 -D_INCLUDE_POSIX_SOURCE \
<       -D_INCLUDE_HPUX_SOURCE -D_INCLUDE_XOPEN_SOURCE -DHIGHFIRST -DUNIX \
<       -DPORTABLE -DUSE_SELECT -DIDEA32 -DMERRITT"
---
>       CFLAGS="-Aa +O3 +Obb5000 -D_HPUX_SOURCE \
>       -DHIGHFIRST -DUNIX -DPORTABLE -DUSE_SELECT -DIDEA32 -DMERRITT"

and:

% diff src/getopt.c.orig src/getopt.c
38c38
< getopt(int argc, char **argv, char *opts)
---
> getopt(int argc, char * const argv[], const char *opts)

15. There is at least one message in PGP 2.3a which isn't in the
language file (something like "Ok, skipping id %s\n"). There is also a 
number of system messages that cannot be translated, because the PSTR() 
function is not called (e.g. the Date information).

16. If you use "pgp -sa" for the files "xxx.h" and xxx.c", the file
"xxx.asc" is created for the first file; for the second file the
previous file is overwritten WITHOUT ANY WARNING.

17. If you use "pgp -ew" to encrypt a file on a file server (Novell
NetWare in my case), you might encounter the following problem: If the
source file is write-protected, PGP will compain a few times that a
write operation failed, but will finally state that the file has been
encrypted and wiped out (I don't know the precise words right
now). Looking into the source file's directory, you find the original
file still there, and you don't find any encrypted file (In my case,
the user had no permission to create a new file there). I'd consider
this a quite big bug; just imagine I had used a script to do automatic
processing...

18. Currently PGP allows you to encrypt messages using a revoked key.
This "feature" has to be removed.

19. When you remove a key belonging to yourself (i.e. you have both halves)
and the key _has the same userid_ as another key belonging to yourself,
MacPGP will remove the proper PUBLIC key, and then ask if you want to
remove the corresponding SECRET key. If you say yes, MacPGP will then
proceed to remove the _other_ secret key - the one corresponding to the
public key that you wanted to keep!

20. Currently PGP does not allow the user to access in any way a
key in the keyring that has no userID - even by specifying that key
by keyID. This needs to be fixed.

21. There is a peculiarity in the MS-DOS version of PGP: it is
impossible to translate the following message (in keymgmt.c):

"\nPick your RSA key size:\
\n      1)       384 bits- Casual grade, fast but less secure\
\n      2)       512 bits- Commercial grade, medium speed, good security\
\n      3)      1024 bits- Military grade, very slow, highest security\
\nChoose 1, 2, or 3, or enter desired number of bits: "

This works well in the Unix version, but for some (unknown) reason the
MS-DOS version will not recognize any translation of this message.
However, when the linefeeds are moved to the end of each line, like this:

"\nPick your RSA key size:\n\
      1)       384 bits- Casual grade, fast but less secure\n\
      2)       512 bits- Commercial grade, medium speed, good security\n\
      3)      1024 bits- Military grade, very slow, highest security\n\
Choose 1, 2, or 3, or enter desired number of bits: "

...and the file LANGUAGE.TXT is changed accordingly, then the message would
translate all right.

22. Clearsiged messages, when decrypted with -d option, get the signature 
written *binary* to the decrypted file, which looks really ugly afterwards.

23. During the check of a clearsigned message, PGP ignores any text from
the delimiter line to the next blank line. This can be used to insert bogus
additional text at the beginning of a signed message.