The case for OpenPGP as a collaborative effort

Heiko Schäfer heiko.schaefer at posteo.de
Fri Sep 12 19:42:17 CEST 2025 

Hello all,

This thread has veered into questions about how the OpenPGP standard as 
such develops, and I have thoughts.

Reasonable people can have different personal preferences on details of 
the RFC 9580 specification and the LibrePGP draft. However, objectively, 
RFC 9580 has been produced in a multi-stakeholder IETF process, and 
LibrePGP has not[1].

The initial framing of this thread misses this point by centering one 
actor who participated in the IETF process. However, I think the most 
interesting question is "Where is collaboration happening?" (not: "Which 
of two actors do I trust/favor?").

RFC 9580 is the result of multiple years of collaboration by a sizeable 
and diverse group. This work is public and on the record. Many 
trade-offs were considered, discussed and worked through. The design 
decisions that RFC 9580 embodies are certainly not impulsive.
LibrePGP on the other hand, seems to be written single-handedly by 
Werner Koch, and in private (I am not aware of public deliberations 
about any of the design decisions in it). Also see [2], [3].


# RFC 9580 is supported by many independent implementers and contributors

The work that went into RFC 9580 shows. The text is *much* clearer than 
its predecessor, RFC 4880 and its close relative, the LibrePGP draft. (A 
report comissioned by the BSI [4] also seems to make this point.)

RFC 9580 specifies some new formats, but all of them are clear 
evolutions of what came before. Its new v6 formats enable a clean 
transition from the current "v4 OpenPGP" state of affairs to future 
artifacts that finally drop some of the legacy cruft that has been 
rightfully criticized about OpenPGP.

As Vincent pointed out, all major OpenPGP libraries now feature rather 
complete implementations of v6/RFC 9580. Of course, since libraries are 
not user-facing, they have less mindshare than GnuPG. Still, I am 
confident that their aggregate use substantially outpaces GnuPG's. These 
libraries include Bouncy Castle, GopenPGP, OpenPGP.js, PGPainless, rnp, 
rPGP and Sequoia-PGP. We're looking at the work of *many* independent 
parties, all of which clearly agree that RFC 9580 is a good standard and 
represents the future direction of OpenPGP.

As others have pointed out, GnuPG is a C codebase with a long history 
(going on 28 years). On top of that, it's a codebase that is mostly 
uncovered by tests, and has no automated CI. If GnuPG were my project, I 
would also be anxious about each change I make. I believe that because 
of this the LibrePGP draft errs on the side of making minimal changes, 
with the unspoken goal of limiting risks of breakage in a brittle 
codebase with practically no tests. (Maybe the new formats in RFC 9580 
are indeed "too radical" of an evolutionary step to safely implement in 
GnuPG. But that's surely not a failing of RFC 9580.)


# My place in the larger OpenPGP collective

Just to clarify where I'm writing from: I have participated in many 
collaborative efforts in the OpenPGP space over the past 7 years [5]. 
Last year, I contributed an implementation of the new RFC 9580 formats 
to the rPGP library [6]. rPGP is a pure Rust implementation of OpenPGP, 
it is 8 years old, and most prominently used in the Delta Chat 
decentralized secure messenger app [7].

It's probably fair to say I am familiar with RFC 9580, and can judge its 
merits with some confidence. I've also implemented decryption support 
for the "OCB" encryption container format from the LibrePGP draft in 
rPGP. The latter effort further clarified the high quality of RFC 9580 
to me - the LibrePGP draft does not compare favorably. Collaboration 
produces better quality and clarity.


# Conclusion

I am pretty happy how the OpenPGP space is developing lately. There's 
much progress and productive collaboration. It is very unfortunate that 
GnuPG has decoupled from the rest of the OpenPGP ecosystem. But then, a 
lot of people have spent a lot of time trying to reach out and build 
bridges, to find compromises. Sadly, so far to no avail.

I'm well aware of many of the interpersonal undercurrents in this space 
over the past decade. Certainly, the "people"-aspect of collaboration 
can be hard and tiresome. But that's not specific to OpenPGP. Social 
complications happen in many specification and FOSS implementation 
efforts. It takes work to talk, coordinate, find common ground, actually 
take other perspectives seriously and work through their implications. 
But really, this is not a good reason - let alone justification - for 
forking the OpenPGP standard.

Thanks, cheers,
Heiko


PS: Just to clarify two potential points of confusion:

- Both RFC 9580 and LibrePGP are fully backward compatible with the 
formats in RFC 4880. Both drafts fully support existing v4 keys and 
messages. Also, they both use signaling mechanisms, so that, e.g., a 
sender's software knows which encryption formats a recipient can 
decrypt. Neither of the two drafts breaks the status quo.

- Both RFC 9580 and LibrePGP introduce new formats that won't work with 
software that predates the respective spec. The main difference is that 
RFC 9580 defines v6 OpenPGP formats that actually clean up some legacy 
cruft (things that can never be dropped in v4, and that LibrePGP's v5 
also doesn't clean up).

--

[1]: Somewhat bizarrely, the same pattern of a "schism" between IETF- 
and GnuPG-formats seems to repeat around PQC in OpenPGP: A group at the 
IETF is working on draft-ietf-openpgp-pqc, while GnuPG at some point 
decided to implement a similar but incompatibly different PQC scheme 
(fwiw, Sequoia-PGP was not an active participant in the work on 
draft-ietf-openpgp-pqc. And yet, GnuPG has opted not to work with the 
group at the IETF.)
[2]: "Requesting the editor to step down", Vincent Breitmoser 
2020-04-17: 
https://mailarchive.ietf.org/arch/msg/openpgp/XxZt89Eh7XUenuVRajbgtcWzWdA/
[3]: "Speaking as Author / Editor of RFC 9580", Paul Wouters 2025-08-28: 
https://warmwasserwerfer.de/2025/08/28/towards-openpgp-v6-in-pgpainless/#comment-37301
[4]: "Comparison of RFC 9580 and LibrePGP", Johannes Roth and Falko 
Strenzke 2025-07-08: 
https://github.com/crypto-security-tools/OpenPGP-LibrePGP-comparison/releases/download/v1.4/opgp-lpgp-comp.pdf
[5]: https://floss.social/@hko has more from and about me
[6]: RFC 9580 support in rPGP: https://fosstodon.org/@hko/113198947595455844
[7]: Delta Chat is a decentralized system and has no telemetry. However, 
a known lower bound for its current use is "Three million OpenPGP 
encrypted messages per day" (using email as transport)

More information about the Gnupg-devel mailing list