Leigh S. Jones, KR6X
Tue May 7 22:49:02 2002

"Johan Wevers" wrote:

> Leigh S. Jones, KR6X wrote:
> > GnuPG is poised to dominate the field, and its developers
> > should consider the implications of creating the best possible
> > tool rather than the most compatible one.  The "idea" patent
> > has already set PGP and GnuPG widely apart from the
> > standpoint of interoperability,
> Not really. Most people who like to remain fully compatible with pgp 2
> don't care about that patent. Personally, I use IDEA for both personal
> and buisiness usage - let the patent holders sue me if they like:
> everyone on this list knows chances on that happening are negligible.
> That might not be the official Gnu point of view, but I don't care.

I find a great deal of agreement with what you've written, 
perhaps that means our ideas are similar.  Maybe your 
reasons are different.  First, the "idea" patent only applies 
to the US, so you're in no danger of being sued.  

The "idea" patent holders probably would only pursue a case 
if an American company (such as Network Associates) 
profits from selling their product without paying royalties -- 
then I think they'd believe they deserve a share of the profits.  
Makes sense.  But it does prevent me from doing some things 
that I'd like to do, even if the patent holders stated position 
would be to allow me that freedom, because of company 
policy against ignoring patents or copyrights at my job.  

My company wants to stop paying for shipment storage of 
20 tons of new, automatically generated paperwork yearly, so 
it needs a secure digital signature capability. Looks like it will 
be done with gpg now, but I tried to license PGP command 
line first (the freeware product).  NAI's business plan wouldn't 
allow that, so they are out a few thousand of dollars, and 
coincidentally out of the PGP business.

Now I'm moving my old keys over from "idea" to AES (Rijndael) 
because the US government thinks it's a good cipher.  But, 
the OpenPGP standard should take care of interoperability.  
Interoperability is a moving target.  Standards change.  It's 
best to equip yourself to hit the moving target.  If someone's 
keys say they prefer an SHA-256 hash, then you should 
probably send them an SHA-256 hash.  Maybe they like it 
because its a good hash.  Having the capability improves 
your interoperability rather than damaging it.  

Sure, the OpenPGP standard doesn't negotiate algorithms 
for signatures, so vanilla signatures are sometimes a good 
idea.  But if you know that the software that will be used to 
verify a signature accepts SHA-256, then perhaps the 
SHA-256 hash would be better than alternative hashes.  At
my job I need to specify the verification software together 
with the signature software and options, then validate it all
together as a package.  

"Johan Wevers" wrote:

> Leigh S. Jones, KR6X wrote:
> > GnuPG with capabilities that extend its interoperability with
> > existing standards such as SHA-256 makes sense from the
> > point of view of interoperability, even if there is no support for
> > these standards in PGP7.1.
> Indeed. Remaining fully compatible with the windows-only versions is not
> something I really care about, as long as I'm able to send messages that
> can be decrypted and verified with them to people who are confined to
> windows when I want to.

Perfect agreement.  What if I'm running windows and someone
sends me a signature executed with SHA-256?  Enter sha2.dll.
Glad to have it.  Thanks, Keith.  Thanks Disastry.