On Sunday, Mar 9, 2003, at 01:27 US/Eastern, Peter Gutmann wrote:
Jeroen van Gelderen <jeroen(_at_)vangelderen(_dot_)org> writes:
How can my copy of OpenPGP support an IDEA-encrypted message if I am
not
allowed to use IDEA to decrypt it?
How many people are really going to be affected by this?
Any implementor of an OpenPGP-compliant application. As long as I
'SHOULD' handle IDEA-encrypted mail people will consider my application
to be incomplete if it doesn't.
Anybody who uses -say- the Cryptix OpenPGP library in a commercial
setting will have to get themselves a license or disable the IDEA
functionality.
For what? For people who insist on using outdated and deprecated
software? Why would they expect a modern standard to cater for them?
Why not get rid of IDEA? People MAY implement IDEA/PGP2-support in
their otherwise OpenPGP-compliant applications. Such an extra feature
will not render the application non-compliant. But rip the 'SHOULD' out
of the standard. Make sure that people who send PGP2 messages do
realize that they are not sending OpenPGP messages and that they cannot
expect OpenPGP compliant apps to deal with them. In particular, let's
make very clear that they cannot expect a PGP2 response back.
As I said in my
previous message, I would imagine that the majority of people still
using 2.x
are individuals/personal-use, which means they have no problems using
IDEA.
Then they don't care about their use of IDEA being OpenPGP-endorsed or
not. I do care about the fact that I am not legally allowed to decrypt
their messages when I receive them. And you are giving them the
ammunition to say "Hey, my message is OpenPGP compliant!".
The issue is not them. The issue is that everybody else 'SHOULD' handle
their outdated messages. I don't care what you use or do, I care about
what I am supposed to do according to the standard. And according to
the standard I 'SHOULD' support a long-deprecated type of message and
thus I 'SHOULD' pay royalties.
I want *every* OpenPGP implementation to be able to handle OpenPGP
messages without paying royalties to anyone. And thus do I want
IDEA-encrypted messages to not carry the OpenPGP seal of approval.
There is no need for that.
Commercial users will (presumably) be using a licensed version, in
which case
it doesn't matter either. You need to distinguish between "We can't
use IDEA
for commercial/licensing reasons" and "We refuse to consider IDEA for
ideological reasons".
That is easy for you to say. You can create an IDEA-message for free
because you don't work in a commercial setting. I can't legally decrypt
your IDEA/OpenPGP message because I don't have an IDEA license. What
kind of interoperability is that?
The point is that using the full standard including 'SHOULD's in a
commercial setting requires money. That has nothing to do with
ideology. Zip. Zilch. Principle, yes. But not ideology. Internet
standards are kept patent free for practical reasons, not ideological
reasons.
Wasn't it you who called for a patent-free OCB? Why was that again?
Cheers,
-J