[Top] [All Lists]

Re: [openpgp] Manifesto - who is the new OpenPGP for?

2015-03-25 08:41:40
Compatibility with existing implementations should be a consideration when
making any updates to the spec.  Creating a "V5" key format is certainly
within scope.  Radically changing the packet structure or data encoding
scheme in a way that breaks all existing implementations or forces the
implementors to have 2 very different code bases to support old vs "new"
formats should be strongly discouraged.

One of the (many) problems with todays OpenPGP is that it is impossible to
update older keys to a newer format, which leads to many users continuing
to rely on old keys and implementors end up having to support the older
formats.  We could encourage users to "modernize" their keys if new formats
were designed with some thought to having an upgrade path from V4.
Revoking old keys and re-issuing your public key to your "circle of trust"
is tedious and semi complicated and most people just give up and create new
keys or stop using PGP altogether.  Certainly, weak keys should be revoked
and replaced, but "reasonable" keys that are just in an older format should
be easily updated to newer formats if possible.

IMO, the goals of an OpenPGP update should be:
1. Remove any outdated and/or insecure ciphers and hashes
2. Specify profiles for new ciphers, modes, and hashes with an eye towards
simplification.  Keep the "MUST" list short and the optional list brief but
3. Upgrade path from V4 keys to V5 and beyond.
4. Don't fix what ain't broke.  ASCII Armor, for example.

If whatever results from this effort requires a complete rewrite of
existing OpenPGP parsing engines and reengineering existing apps from the
ground up, then it will be a complete failure and should be renamed
something else and taken to a new WG.


On Wed, Mar 25, 2015 at 9:03 AM Stephen Paul Weber <
singpolyma(_at_)singpolyma(_dot_)net> wrote:

FWIW: When I kicked of this thread I was not thinking of a "new OpenPGP"
but of long planned extensions and updates to an existing protocol.
Throwing everything over board and start from scratch should not be done
under the label of OpenPGP;

I very much agree.  To be "OpenPGP" is to be at least *able* to be
compatible with the current OpenPGP.  Otherwise you are something new and

Stephen Paul Weber, @singpolyma
See <> for how I prefer to be contacted
edition right joseph
openpgp mailing list

openpgp mailing list