Interoperability with OpenPGP crypto-refresh

Andrew Gallagher andrewg at andrewg.com
Fri Feb 24 19:25:55 CET 2023


On 20/02/2023 17:17, Bernhard Reiter wrote:
> Am Donnerstag, 2. Februar 2023, 15:49:05 CET schrieb Andrew Gallagher via
> Gnupg-devel:
>> Hockeypuck relies heavily on Protonmail’s fork of gopenpgp. Protonmail are
>> invested in crypto-refresh and will certainly implement the new RFC when it
>> is finalised. Hockeypuck does not have the developer resources to maintain
>> yet another fork of gopenpgp, and so will have little choice but to track
>> upstream. 
 >
> Given that openpgp-2015-rfc4880bis is simpler to implement, because having
> less variants, that is an argument for it.

That might have been an argument for supporting *only* -bis, but that 
particular boat has sailed. We now have even more variants, not less. 
The choice for hockeypuck now is not between crypto-refresh and -bis, 
but between crypto-refresh and crypto-refresh-plus-bis. AFAICT, most of 
the significant modifications that need to be made to hockeypuck’s own 
code, such as support for longer fingerprints, are similar in both 
proposals and only need to be implemented once (or once-and-a-bit). The 
divergent parts, such as signature verification, are mainly in gopenpgp, 
and the crypto-refresh version of that will come regardless.

> I guess that Hockeypuck/gopenpgp is
> closer to support it anyway, maybe already supporting it.
> What would be needed to implemented it in hockeypuck?`

Either Protonmail adds -bis support to their fork of gopenpgp, or 
someone else re-forks their fork to to add it and commits to supporting 
it long term. That "someone else" is unfortunately not going to be me as 
I have neither the skillset nor spare capacity. :-(

A



More information about the Gnupg-devel mailing list