Trying to create auth key on GPF CryptoStick

Nicholas Cole nicholas.cole at
Wed Jan 4 14:27:45 CET 2012

On Wed, Jan 4, 2012 at 1:01 PM, Werner Koch <wk at> wrote:
> On Wed,  4 Jan 2012 13:37, nicholas.cole at said:
>> Is there any plan to back-port the ECC support?
> No.  We definitely need to move forward with 2.1 and not keep on
> updating 2.0.  It would be quite some work to integrate that in 1.4 and
> I see no reason to do that.  Remember that this is not a one-time task
> but requires continues maintenance.  We don't have the resources to do
> that.

That is a shame, although I do completely understand the resources
problem.  Though gpg2.1 has lots of wonderful features, it IS a much
bigger, much more complex package.  I've always liked the fact that
gpg1.4 can be built relatively simply, and the code-base looks
relatively easy to understand.  It really is a case of simply
downloading and building.  People using gpg2 often have to rely on
third-party packagers.

You said earlier that someone wanting really high security ought to be
prepared to audit the different elements of the system.  I'm no
expert, but I'd have thought that would be easier if deploying 1.4.
Perhaps that is wrong, and in fact people can have better confidence
in the new version.

I suppose I'd imagined that once the ECC code was written it would
effectively be a module that could be integrated relatively easily
into the old code.  I do understand if that's not the case, but there
are reasons why 1.4 is still so popular.  Do you think those reasons
are outdated and need to be confronted?


More information about the Gnupg-users mailing list