Terminology - certificate or key ?

Robert J. Hansen rjh at sixdemonbag.org
Thu Sep 29 17:17:55 CEST 2016

> It seems there is, according to one of the authors of RFCs 2440 and
> 4880. Apparently, at the time they were told by the IETF to avoid
> speaking of "certificates" so that OpenPGP would not seem to rivalize
> with PKIX...

For related reasons, GnuPG and PGP have different names for some of the same algorithms.  What GnuPG calls Elgamal, PGP calls Diffie-Hellman.  The correct name is Elgamal, but waybackwhen PGP had a licensing agreement with ... blanking on the company ... which offered them a reduction in licensing fees if they'd call it Diffie-Hellman instead.  PGP wanted the reduced licensing fees so they went along with the misnaming, and now the misnaming is so entrenched in the PGP community that it would be impractical for them to change the name, even though there's no longer a business case for calling it Diffie-Hellman.

Likewise with SHA-x.  The family of modern SHAs is called SHA-2, and specific hashes within SHA-2 are called SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.  (GnuPG implements -224, -256, -384, and -512; it does not implement -512/224 or -512/256.)  GnuPG calls these hashes by their correct NIST nomenclature.  PGP insists on calling them "SHA-2-256", "SHA-2-512", and so on.

I have to admit to being extremely annoyed with the state of the language we use.  OpenPGP is hard enough to learn without having to be confused by multiple names for the same algorithms, confusing usage of "certificate", "key", and "Key", and every other bit of linguistic tomfoolery we seem to have accumulated.

More information about the Gnupg-users mailing list