Miscellaneous questions

David Shaw dshaw at jabberwocky.com
Wed Apr 16 15:29:34 CEST 2008

On Apr 16, 2008, at 9:04 AM, Christoph Anton Mitterer wrote:
> On Wed, 2008-04-16 at 08:41 -0400, David Shaw wrote:
>> I was pretty much getting out of this thread as non-useful, but I  
>> have
>> to comment on this.  It's not true.  GPG does not export
>> non-exportable signatures.
> Hmm I wonder if it's worth the effort to publish a review on the RFC,
> would ideas be rejected simply because they change the current way or
> sight on things.
> What do you think?

I think - and please understand I do not mean this as an attack on you  
- that before someone proposes sweeping changes to an RFC, they must  
really understand the history and reasoning behind the original  
design.  Without that understanding, the proposed changes tend to  
become "I don't like this - please change it", without actual  

I contributed a lot of work to 4880, over the span of years.  I found  
that the more I learned, the smaller the change I proposed was.

Skipping the actual security issue for a moment and just looking at  
code realities, OpenPGP and its ancestors have been around for so  
long, and there is such a huge base of installed code, that this is  
pretty much the only way to work with it.  It's not a blank sheet of  
paper where anything goes.  This is why V5 keys are so appealing -  
it's not exactly a blank sheet of paper, but it's as close as we've  
had for a very long time.

I don't want to discourage you from suggesting changes, but I do  
advise that you really understand what you are suggesting.  For  
example, the ideas around user IDs being required to be full names  
show misunderstanding of the OpenPGP trust model.  The ideas around  
different parts of the user ID living in different packets (attribute  
packets vs user ID packets) would break a large percentage of existing  
systems.  This is fine, of course, if that breakage is balanced out by  
a corresponding gain in the rest of the system, but I don't see that  
corresponding gain.  Work with a scalpel, not a cutlass.


More information about the Gnupg-users mailing list