On Sunday, Mar 9, 2003, at 01:27 US/Eastern, Peter Gutmann wrote:
Jeroen van Gelderen <jeroen(_at_)vangelderen(_dot_)org> writes:
How can my copy of OpenPGP support an IDEA-encrypted message if I am
not
allowed to use IDEA to decrypt it?
How many people are really going to be affected by this? As I said in
my
previous message, I would imagine that the majority of people still
using 2.x
are individuals/personal-use, which means they have no problems using
IDEA.
Commercial users will (presumably) be using a licensed version, in
which case
it doesn't matter either.
In which case either party doesn't care about their messages not being
branded OpenPGP compliant because they will be sending the messages to
other 2.x users. So PGP2 messages can be stripped out of the standard
that contemporary PGP users adhere to.
You need to distinguish between "We can't use IDEA
for commercial/licensing reasons" and "We refuse to consider IDEA for
ideological reasons". I suspect instances of the former are pretty
rare in
practice. Give me some real-world examples
I am not exactly sure how you are interpreting "I don't want to require
people to pay" as "I have an issue with patents". Iff the latter were
true I would object against CAST-5 too.
I have a reasonably large set of PGP messages that I can't legally
decrypt because they are encrypted with IDEA. Those messages should not
be considered OpenPGP compliant. Most people who sent those have now
switched to GNUPG.
I think that in practice most people ignore the IDEA patent because
Ascom is pretty lenient. Or companies like PGP buy a wholesale license
on their behalf. But anyone who is using GnuPG in a commercial setting
cannot legally decrypt IDEA messages without a license. Which means
they cannot decrypt OpenPGP-compliant messages. So we should make sure
they don't end up in that situation. They should be able to say "Hey,
please send me an OpenPGP message instead!".
There is a reason that Internet standards tend to be completely patent
free. OpenPGP is no exception.
where significant use of PGP was
affected by the current situation with IDEA, and show me how MUST NOT
IDEA
would have fixed this.
The MUST NOT was not a central point of my argument. The central point
was changing the SHOULD to MAY. People SHOULD NOT actively support
PGP2, they MAY do so however. It is the difference between it being
optional (MAY) and desirable (SHOULD). It's time to kill of the old
baggage to reduce complexity. And definitely if it costs money.
I doubt PGP use was ever 'significant'. I was hoping that simplifying
the standard and ripping out the old baggage would give OpenPGP a push
in the right direction. Implementing OpenPGP is horrific enough as-is.
Cheers,
-J