[gnutls-devel] openpgp removal

Ludovic Courtès ludo at gnu.org
Sun Jan 15 21:41:03 CET 2017

Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> skribis:

> On Sat, Jan 14, 2017 at 6:14 PM, Ludovic Courtès <ludo at gnu.org> wrote:
>>>  After considering the quality of the OpenPGP support in gnutls, I've
>>> decided to speed up the OpenPGP deprecation originally planned in [0].
>>> I've marked all functions as deprecated and modified the manual to
>>> list the reasons the openpgp certificate support should not be used in
>>> [1]. However, there are some references to OpenPGP in the Guile manual
>>> as well. Is it ok to remove them?
>> Yes, sure.
>> I’m disappointed to see OpenPGP support go away, because that’s one of
>> the things that brought me into GnuTLS back in the day, but I can
>> understand your concerns as a maintainer.
> I think it is time to admit that OpenPGP authentication for TLS led
> nowhere. Although I initially expected to improve web applications,
> and even more custom applications by providing a simpler verification
> of trust, neither of these categories benefited in practice. The web
> of trust push by pgp/gpg, proved to be too complex to deploy on the
> scale of Internet. When OpenPGP certificates were used with gnutls
> they were used only as an alternative format for certificates, which
> was neither simpler nor better than X.509.

IMO it was “better” than X.509 in that it did not impose a centralized
model with its “authorities”, which to me is fundamentally flawed.

I never thought OpenPGP authentication would displace X.509 on “the Web”
but I thought it was a nice model to build upon for peer-to-peer-style
applications (what I looked at in my PhD thesis at the time).

That said, over time I’ve also become more skeptical of stretching
OpenPGP to such use cases, which are not what it was designed for.

Anyway, thank you for launching this experiment quite a few years ago!


More information about the Gnutls-devel mailing list