potential IETF WG incompatibility with GnuPG 2.3

Bernhard Reiter bernhard at intevation.de
Thu Dec 15 09:44:21 CET 2022


Hi Andrew,

Am Dienstag 13 Dezember 2022 12:02:41 schrieb Andrew Gallagher via 
Gnupg-devel:
> “It remains to be seen” is the crucial phrase there. Making 4880-bis the
> default behaviour in master appears to be prejudging the outcome of the
> standardisation process, with potentially damaging consequences for the
> wider ecosystem. 4880-bis differs in some crucial places, making it
> incompatible with the current WG draft.

however you could ask the same questions to the WG: Why are they attempting to 
standardise variants that one of the main contributor to OpenPGP does not see 
as favourable to OpenPGP? Real usage has been an important factor to 
standardisation.

The very long process of the WG let me conclude that there were some problems
with it. I have not put in the time to look into the details, so I do not 
know, but just with a bit of distance something does not work out there.
I do not know how much technical need there is to go beyond RFC4880
(and other RFCs) and if standardisation processes do not work out,
implementations will go ahead, sometimes they even must.
It can be a good thing.

Dragging something out in a committee in genernal can also wear those players 
thin that care more for the technical part and are less well funded.
Again I do not know if this is happening with the IETF WG, just pointing
to a general pattern and that would match to sime extend to that what is 
observable from a distance.

> If GnuPG chose 4880-bis instead of the new RFC (whatever it may be), then
> other implementations would have to choose whether to support 4880-bis as
> an extra compatibility mode, break compatibility with GnuPG going forward,
> or find themselves bounced into abandoning the RFC process. None of those
> outcomes would be desirable.

It is in my interest to have an interoperable specification and get good 
end-to-end crypto implementations to users. Being associated with 
GnuPG/Gpg4win on the business side via my company as well, I want it to be 
treated fairly. I welcome competition, especially if it is Free Software
and we work together towards makeing the work better for users.

In recent years the field has gotten more difficult with some exchanges
that I did not find fair. This is why I've jumped on this question, I am not 
sure that I, if I was Werner, would put in the time to answer it. Partly 
because it is placed and framed in a way that does not seem to seek 
understanding and cooperation, but to make GnuPG look bad. 
Why would someone answer that?

> Several people have asked for clarification on a number of occasions but
> none appears to be forthcoming. 

(BTW if those exchanges are publically available, can you point me to them?)

> Vincent’s question is valid, and we should 
> be careful not to derail this thread with other arguments.

I assume Werner has explained his plans to the WG over many years.
(At least he wrote a lot of the drafts and participated.)
Why does he has the burden to explain why this technically does not go 
together anymore? Overal I believe the way how this is asked and understood 
from the persons begin asked, is decisive for how they answer.

Regards
Bernhard
-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20221215/4b6297c6/attachment-0001.sig>


More information about the Gnupg-devel mailing list