ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Further deprecating PGP2

2003-03-08 14:06:19
from [Jeroen van Gelderen] [Permanent Link] 


On Saturday, Mar 8, 2003, at 02:56 US/Eastern, Peter Gutmann wrote:


"Jeroen C. van Gelderen" <jeroen(_at_)vangelderen(_dot_)org> writes:
Unfortunately (at least) people who run a business are considered commercial 
users and required to pay a licensing fee to the IDEA patent holder.
In that case they can use an OpenPGP version (in fact I would hope that a business isn't still using 10-year-old DOS-based software in their commercial operations). I would imagine that most people still sticking to PGP 2.x are doing so because they've used it for years and are comfortable with it, and by extension would be individual users who fall under the free-use terms. It seems like a bit of a non-issue to me - as Derek said, make it a MUST NOT generate 2.x-style keys but SHOULD still support the message format, that'll 
have the required effect.
How can my copy of OpenPGP support an IDEA-encrypted message if I am not allowed to use IDEA to decrypt it? Or are you saying that commercial users SHOULD pay the IDEA license fee because they SHOULD be able to handle IDEA-encrypted messages? That sucks in an open standard.
I can see how clients MAY support IDEA and thus MAY be required to pay money. That however sends a different message: get rid of your IDEA-encrypted messages or don't expect others to be able to read your messages.
I also think that at the very least PGP2-style encryption MUST not be used in addition to the requirement that PGP2 keys MUST NOT be generated.
If you do have a store of PGP2-encrypted messages you can easily re-encrypt them against a more current, OpenPGP compatible key. So that is not a reason to keep IDEA/PGP2 support.
That leaves us with PGP2 signatures and the implications of its removal on the existing web of trust. We're waiting for quantification in this department so that should be addressed later. But at the very least only verifying existing signatures seems a valid reason to keep parts of PGP2 support. The rest can be thrown out.
Either way I don't see why we should make an effort to support people who generate PGP2-anything these days. That is akin to equipping every new C-compiler with 8086 support because there might be people out there who refuse to ditch their PC-XTs. 

Cheers,
-J
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Further deprecating PGP2, Peter Gutmann
Next by Date:  Re: Further deprecating PGP2, Peter Gutmann
Previous by Thread:  Re: Further deprecating PGP2, Peter Gutmann
Next by Thread:  Re: Further deprecating PGP2, Derek Atkins
Indexes:  [Date] [Thread] [Top] [All Lists]