Standards: IETF WG proposing incompatible despite implementations and objections

Bernhard Reiter bernhard at intevation.de
Thu Apr 27 10:04:09 CEST 2023


Hi Vincent,

Am Mittwoch 26 April 2023 18:26:29 schrieb Vincent Breitmoser via Gnupg-devel:
> The linked thread is months after the decision was made. You can refer
> to the lengthy thread where the decision was made here:
>
> https://mailarchive.ietf.org/arch/msg/openpgp/PWp3ZcZ_qnDNLhuT-zR7gA2ddeg/
>
> Ultimately the decision is a culmination of issues that were boiling
> unaddressed for many years.

maybe, but wouldn't it make sense to re-consider 
if substancial arguments come up?

Just to consider the point Bruce brought up: Why is EAX still in?
Where can I read up on the argument on this?
(I used to read some PEPs of the python community and while there were hard 
arguments made, they try to write them down for a way forward.)

> > A good paths forward would be, if the technical arguments would be
> > re-considered, and deployed implementations.
>
> The single one big argument is that of compatibility. And it's a really
> strong argument. So strong in fact, that some folks worry that going
> ahead with the new spec despite it may spell the death of OpenPGP.
> And indeed - it just might.

Both true, but it is not necessarily a "big" argument in my view. 
Compatibility issues can often be addressed in parts or little steps. Or with 
a plan over time. The question is: where do we want to head?

> But if you read through the thread linked above, a large part of the
> working group felt that the OpenPGP community effectively maneuvered itself
> into being held hostage by this argument. The options on the table seemed
> to be declaring Werner dictator for life over the OpenPGP specification, or
> taking the hit of the compatibility argument and try to establish an actual
> working group again.
>
> Sounds pretty extreme, I know.

If what you write is a representative summary, 
then the reason for the decision would not be a good argumentation
from this fraction of the working group. It would be about argumentation 
style. And however you like or dislike an argumentation style, the argument
itself does not change. So keeping EAX in the proposed spec will be a 
disadvantage or not, independently of who proposes it.
 
What you are saying is that the working group wants to oppose Werner for 
showing that they have the power and need to be taken seriously. 
It maybe that those people feel this is necessary, but it is hard to see
how a technical specification will benefit from this. For this to work, they 
would need to reject arguments that Werner supports just because he supports 
them, not on the basis of a technical argument. In a sense they would be more 
forced by Werner's views if they just based their proposal on arguments 
alone.

> But considering these extremes - I have never had the impression that
> Werner, or you for that matter, have stepped back from their position
> of GnuPG power to say - whoa, if this many people are going to such lengths
> and are  willing to risk so much in order to change course here 
> - maybe it's not just all of them being stupid?

My view on this "power" mechanism is quite different. While I have seen power
being used (and sometimes for the bad, but often for the good) I have found 
Werner sometimes to be defensive initially, but later in almost all cases, 
open to follow an understandable argument. I have seen this so often over 
more than 20 years that I trust Werner to have a outstanding knowledge and 
development intuition about real-world usable and widely deployed public key 
cryptography and its implementation. He was so often right long before I 
could understand why.

I am personally are interested in getting a good standard and Free Software 
implementations that help everybody. I make up my own mind and will criticise
Werner's arguments if I believe they are flawed. You will find a number of 
public examples on this list. As for the OpenPGP standard:
When I have noticed the problematic situation growing, I have started looking 
a bit at the situation myself to make up my mind, and I hope we get the 
arguments in an overview so that more people can evaluate them. So yes, it is 
very well possible that the post-2021 working group people have very good 
points, and I need to keep looking for those.

It also is possible in general that many people are wrong about something that 
they are fiercely fighting for. (There examples in general sciences.)

What is the case here, I don't know for sure. My current state of mind is
the summary I've posted yesterday. (A personal situtation had me unable to 
work or a number of weeks where I was out of the loop.)

Do you have a suggestion what I could do?

Best Regards
Bernhard
-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20230427/1bee2b91/attachment.sig>


More information about the Gnupg-devel mailing list