Sune Vuorela <nospam@vuorela.dk> wrote:

Not only that, but some of these people were also in the
standardization workgroup knowingly forcing the schism by wanting,
what GnuPG upstream describes as, 'useless complexity' (my wording,
not theirs).

Hi there! In addition to having helped maintain GnuPG in Debian for
over a decade now, i'm also interested in there being a healthy OpenPGP ecosystem. I've also been partially responsible for packaging or
nudging other people to package several other OpenPGP implementations
being available in Debian (e.g. librnp, sequoia, rpgp, gopenpgp, pgpy, pgpainless). And, I'm also the co-chair of the IETF OpenPGP working
group, which i think is what you're referring to.

And i'm still helping to maintain GnuPG in Debian, despite this mess.

The idea that the other members of the working group were "forcing the
schism" doesn't line up with my experience. Werner decided to step away
from the process of standardizing something in an open and interoperable
way.

g10code (the builders of GnuPG) is, as far as i can tell, the driving
force behind the standards fork they've named "LibrePGP", whose motto
includes "Never Mind OpenPGP". Is this really the OpenPGP
implementation we want Debian to depend on?

Even when Werner was in control of the revision of the OpenPGP standard
(before he left the WG, he was the editor for the standard), his
proposals were in flux and people attempting to align with his published
code ran into problems aligning it with the published spec. Here's one
example from a few years ago, from an OpenPGP implementation that was
trying to follow along with Werner's plans:

the AEAD encrypted packet varies between the current implementation in
GnuPG (in use) and the latest version of the OpenPGP standard (more specifically the version field of the AEAD encrypted packet in the
standard is with value 2, and the standard proposes a fixed IV (initialization vector) for the AEAD packet in contrast with the algorithm-specific length at use by GnuPG at the moment and version 1
of the AEAD packet).

https://didisoft.com/2022/07/01/aead-cipher-support-in-openpgp/

When the WG was inactive (even farther in the past), GnuPG led the way
to using modern elliptic curve cryptography (e.g. with curve 25519), but
in doing so, it failed to specify what it was doing and how the objects
should be structured on the wire, which made it notably harder for other implementations to interoperate. The new standard is complex in part
because it *has* to accomodate those arbitrary choices made by GnuPG in
the past, which were not made with community review or input.

GnuPG continues to make these kinds of changes, which fail to
interoperate correctly not only other OpenPGP implementations but in
many cases with older versions of GnuPG itself.

These are all good arguments for specifying things in public, and giving
room and time for discussion, and making sure that implementations can
consume things (or at least fail safely/gracefully) before we emit them.
We don't want to be stuck with a single reference implementation as "the standard", because everyone makes some mistakes. I already linked in
this thread to concrete cryptographic concerns raised by non-GnuPG
participants in the WG that GnuPG has decided to ignore.

There are participants from a half-dozen OpenPGP implementations in the
working group, and most of them are interoperating with each other just
fine, even in cases where they don't get exactly what they would have
wanted from the standardization process. Yes, the process is messy, and
can be frustrating. And while there are parts of the
community-developed standard that are more complex than what Werner
wants most recently (e.g. more than one AEAD mode), there are also parts
that are significantly *simpler* than what Werner is advocating (e.g. no attempt to sign the Literal Data Packet's metadata misfeatures, adoption
of simple key and signature wireformats, explicit bindings between
session key formats and encryption formats, simplified message packet
grammar).

But the schism is, as far as i can tell, a disaster for both OpenPGP and
for the GnuPG project. The best outcome would be for GnuPG to be able
to parse the updated OpenPGP standards (keys, certificates, signatures, encryption), and to limit itself to emitting data that can also be read
by other implementations, including the new simplified formats. I know
that the GnuPG project has the cryptographic and software development
expertise to do it, but the project doesn't seem to have interest in
broad interoperability or demonstrating leadership within a pool of
peers, and is instead imposing this schism on the larger ecosystem.

Finally, engineering choices made by GnuPG have made it significantly
harder to upgrade even GnuPG itself, and slowed progress on other free
software work. To cite just two examples in the last year:

https://bugs.launchpad.net/launchpad/+bug/1827369
https://lists.debian.org/debian-devel/2025/01/msg00162.html

You can see other examples reflected in the patch history for GnuPG in
debian, where some engineering choices that make the tooling work better
are simply ignored by upstream despite pretty clear evidence that these
changes are valid for important use cases and don't break anything else.

These engineering choices make me wary of further cementing our
dependence on GnuPG in debian, and make me appreciate the process of collaborating with other downstreams of GnuPG to address broader
concerns.

In short, I'm a long-time supporter of the kinds of cryptographic work
that GnuPG has done. I want to see functional, interoperable
object-based cryptographic security tools in the hands of as many people
as possible, without vendor lock-in. Our users, the free software
ecosystem, and the cryptographic standards base is not well served by
GnuPG being the only OpenPGP game in town, or by distributing unpatched upstream GnuPG.

--dkg, more than a little depressed by this situation

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

wr0EARYKAG8FgmeFZScJEHctFh41zUuBRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ4e63jIhW6Ba2DKXZZs49Njhlgk03yK5l0o6lfNhLcu+ FiEEdLwExD2GCEvoZywGdy0WHjXNS4EAAHU2AP0SLpb+HsW2CyAuFDbGzX1q8JkG V4e0rYIz4lc73MHmlQEAklR27Rf/YA9jqlP5fxcUy64xQf3B0ZLNjFWxzsnGcwMyW0
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-01-13, Daniel Kahn Gillmor <dkg@debian.org> wrote:

The idea that the other members of the working group were "forcing the schism" doesn't line up with my experience. Werner decided to step away
from the process of standardizing something in an open and interoperable
way.

At some point, one might need to step away if others insist on sillyness
(my wording)

One of the 'big points' as I understood it was doing aead in 3 different
ways, two optional.

To quote the upstream documentation of another Openpgp project:

| openpgp.enums.aead.gcm; // Default, native in WebCrypto and Node.js
| openpgp.enums.aead.ocb; // Non-native, but supported across RFC 9580 implementations
| openpgp.enums.aead.eax; // Native in Node.js

Defaulting to a mode that is optional in the spec and thus not all implementations support it.

Having 3 ways of doing things the same thing is to me just silly from an engineering perspective. And having some of it optional when it really
isn't (and defaulting to one of the optionals) in the spec is just weird.

/Sune

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This appears silly from an engineering perspective, but there is a
specific motivation behind it: Proton (the mail company) wants this to
simplify the implementation of PGP with Browser APIs.

As you said, too many optional ciphers are bad for compatibility. Note
that the key preferences do not help with this mess. Users usually have
one identity, but want to use it with different PGP implementations,
e.g. on their phone and their PC.

However, GnuPG's reaction to start their own standard is not helping
either. Bodies like IETF have to find a true consensus, not only
majorities, because there is no way to ensure proportional
representation of developers, users or other stakeholders.

The free software community is used to the problem that companies
intentionally send new people into standardization bodies just to tip
over the majority vote. We have seen this happen many times. In my
opinion, the OpenPGP schism has this smell, too.

Regards
Stephan

PS: I also criticized some features of the new OpenPGP standard
personally, e.g. unnecessarily making signatures non-deterministic. But
those are academic details not related to the schism.

https://mailarchive.ietf.org/arch/msg/openpgp/uGHlHjeqo7VEZ55JO_7IcV-Q1Nk/

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQRB1rjSpCJd8a7h6mNgNUJZCjx8YgUCZ4Ye6wAKCRBgNUJZCjx8 YlhuAQDJwbmW9CM+33I5bL5uVn3JZibjlkzXm9EiEIxwDyKkCwEA/yPmkwS1avBn BThPDzYKDdfgbkNKMeKrZn/b4/NKhQ0=
=Eyun
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

First a big thank you for all your efforts re OpenPGP! It is hard to
navigate when there are conflicting requirements around. We need more
boats attempting to navigate rather than less, increasing the chances to
reach fertile grounds.

Daniel Kahn Gillmor <dkg@debian.org> writes:

But the schism is, as far as i can tell, a disaster for both OpenPGP and
for the GnuPG project. The best outcome would be for GnuPG to be able
to parse the updated OpenPGP standards (keys, certificates, signatures, encryption), and to limit itself to emitting data that can also be read
by other implementations, including the new simplified formats. I know
that the GnuPG project has the cryptographic and software development expertise to do it, but the project doesn't seem to have interest in
broad interoperability or demonstrating leadership within a pool of
peers, and is instead imposing this schism on the larger ecosystem.

There is also the possibility for Seqoia and others to implement parsing
of what GnuPG and others are emitting. I am confident doing so is
within the expertise of the relevant people too.

Fundamentally, I believe that forking upstream projects in this way is
bad for users of distributions like Debian. Each project should own the
moral compass of its own destiny, and users can decide what to use if
they agree with that compass. That's why I personally no longer install
Debian for example, because I prefer a 100% free software OS. Right now
user decision is crippled because users cannot conveniently get to the
proper GnuPG package from Debian, and I believe that's bad for everyone;
users, Debian, and GnuPG.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmeGHncUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJl/YgIBQkLehFUAAoJENc89jjFPAa+CboA +wUa06RD5e5VTCxvSWtPS75Wq2qBeYGZnf0jvUMxa2n4AP4xkUeAPPnNuMsTm2fs FCDIGaEM2Yn6Vb2huzzT1Fw/BLgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZf2IKwUJC3oQqgCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+GcYA/26YQY05bLtnXiIjTiAzrGQrRXxTHPA8Av7TDFHvIetWAP9s HSoU8OfTwmTiEnGwLlsV7QJclZg3YNz/Ypcp9TqQBrg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJl/YgwBQkLehDGAAoJENc89jjF PAa+phoA/jrDqIrl/55vUMBhIQv+TP635d2iCTEnyFmbUcP9+gh6APoDsXalVd2c OGxQtSC+TF8PkZMn1TLkJKAjVxr+xx40AgAKCRBRcisI/kdFoj2dAP9udTcqwOZh Bqel2l2WlDwvUWx5E5rP7vDeTTgyozy82QD/cD3J9EZIK9fZ2g5/AoWy+9nYTKgP NCtUvRhCPQ8qIQk=
=s1+6
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-01-14, Stephan Verbücheln <stephan@verbuecheln.ch> wrote:

This appears silly from an engineering perspective, but there is a
specific motivation behind it: Proton (the mail company) wants this to simplify the implementation of PGP with Browser APIs.

But is this motivation more important than a coherent ecosystem?

However, GnuPG's reaction to start their own standard is not helping
either.

I agree that it is not helping on a coherent ecosystem, but I'm also
having a bit hard time finding any other solution from the GnuPG side
for a way forward if they think than 3 different ways of doing aead
is an absolute no-go.

At least publishing a spec/standard is much better than the same thing
without a spec.

A difference between GnuPG and many other implementers is that GnuPG
(in libgcrypt) does most crypto by themselves where many others use
third party libraries for most crypto and thus might have stronger
feelings against many ciphers.

Bodies like IETF have to find a true consensus, not only
majorities, because there is no way to ensure proportional
representation of developers, users or other stakeholders.

And it was quite clear a bit early on that the GnuPG people would be in
the very rough end of a rough consensus.

The free software community is used to the problem that companies intentionally send new people into standardization bodies just to tip
over the majority vote. We have seen this happen many times. In my
opinion, the OpenPGP schism has this smell, too.

ack.

/Sune

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

simon@josefsson.org wrote:

Fundamentally, I believe that forking upstream projects in this way is
bad for users of distributions like Debian. Each project should own the >moral compass of its own destiny, and users can decide what to use if
they agree with that compass. That's why I personally no longer install >Debian for example, because I prefer a 100% free software OS. Right now
user decision is crippled because users cannot conveniently get to the
proper GnuPG package from Debian, and I believe that's bad for everyone; >users, Debian, and GnuPG.

There's a lot of loaded words in what you write there.

Debian has *always* added config, applied patches and adapted upstream behaviour of upstream packages to make them fit our needs better. Why
should GnuPG be any different?

--
Steve McIntyre, Cambridge, UK. steve@einval.com Can't keep my eyes from the circling sky,
Tongue-tied & twisted, Just an earth-bound misfit, I...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)