Likely IETF WG incompatibility with GnuPG 2.3/2.4

Bernhard Reiter bernhard at intevation.de
Fri Jan 6 15:30:31 CET 2023


Hi Vincent and list,

first I wish a happy new year to you
and hope for individual health and general more peace in the world!

Am Dienstag 20 Dezember 2022 11:38:51 schrieb Vincent Breitmoser via 
Gnupg-devel:
>  > and the WG decision to become incompatible with the previous drafts
>  > were a big decision for the working group affecting
>  > OpenPGP users, implementations and the wider ecosystem.
>
> That is true. And the decision has not been made lightly.

I also do not know what is going on.
My response mainly aims to explain that the way a question is asked
already makes assumptions. And if we want to reach collaboration
we need a respectful way of treating each other.

> As any WG work, this is a public process:
> There has been a lot of discussion,
> over a lengthy period of time, with input from many individuals and
> projects.
>
> https://mailarchive.ietf.org/arch/msg/openpgp/PWp3ZcZ_qnDNLhuT-zR7gA2ddeg/

Given the cited charter and way the "design team" works in followup
to your post, the design team was a closed process.
And according to Werner the design team was in consensus and on a good course, 
with only details to sort out, until he had to leave it.
So we need to find out what was happening in the IETF WG design team (often 
abbreviated DT) after this.

> It's a complex topic and hard to do justice in summary.

Thanks for providing a link to the mail archive showing one part
of the process that is on public record. After reading a few mails
my current understanding is:
 * There are overlapping (and partly conflicting) drafts,
     let us call them "koch" and "newdesignteam"
 * The "newdesignteam" draft is much longer and more complex
   (at least according to Peter Gutmann and Werner Koch)
 * The "koch" draft is implemented widely (which was common practice
   to test the specfication).
 * Somewhere the closed DT deviated from a consensus that the previous
   "koch" drafts had in the working group and of the course the DT had
   in their closed group.

> Hence the concrete question here what the plans are for the future of
> his concrete project.

As you wrote mails to the WG list, you will have seen what Werner already 
wrote about is a good path forward for the existing implementation RNP and 
GnuPG:

https://mailarchive.ietf.org/arch/msg/openpgp/Ek9SvwdsWJ_j4C7SWVoCSKwfo8Y/
Werner Koch <wk at gnupg.org> Mon, 10 October 2022 12:20 UTC  

  [..] We deployed things years ago
  and won't extend that unless there are sound reasons for it.

  It would be a bit sad if we eventually need to state: "GnuPG implements
  OpenPGP as specified by RFC-4880 and RFC-6337 plus some extensions
  described [[here]]".  However, our users and their data is more
  important to us than implementing a newer RFC.

https://mailarchive.ietf.org/arch/msg/openpgp/EQC4wCPfwDm-CKLbYLGsOC5hQpE/
Re: [openpgp] a new draft overlapping the WG draft
Werner Koch <wk at gnupg.org> Mon, 10 October 2022 12:34 UTC
   
   [about newdesignteam draft] a brief reading shows
   that it way to complex for an update of OpenPGP.
[..]
   I have not read the new v5 things in detail but I can imagine
   that we can still change the format.  We have been cautious enough to
   tell people that v5 has not yet been finished.

It seems after this, not much has changed on the "newdesignteam" draft.
In December Werner wrote:
https://lists.gnupg.org/pipermail/gnupg-users/2022-December/066362.html
Werner Koch wk at gnupg.org, Fri Dec 16 18:45:58 CET 2022

  [..]
  GnuPG won't follow the likely outcome of the IETF OpenPGP WG because we
value our users and feel a responsibility to keep a deployed and
sensible moving ecosystem alive and working.

So yes, it seems that the outcome of the WG is an incompatibility.
And the stated plan of GnuPG seems to not follow the WG outcome,
until it changed to be less complex and more towards the early consensus 
points. (The 10th of October 12:34 mail shows some technicals where
both sides seems to be open.)

It would be good to have a more official statement from GnuPG 
and RNP about this. At least I'll go asking.

But I also think that others need to dig through the data so we get
a summary about the technical issues and the reasoning.
And also ask questions about the rational of the remaining
closed design team.

Best Regards
Bernhard

-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20230106/0893d423/attachment.sig>


More information about the Gnupg-devel mailing list