[openpgp] Requesting the editor to step down

Vincent Breitmoser <look@my.amazin.horse> Fri, 17 April 2020 10:19 UTC

Return-Path: <look@my.amazin.horse>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3FE033A0784 for <openpgp@ietfa.amsl.com>; Fri, 17 Apr 2020 03:19:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=my.amazin.horse
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id WoCqdsiKcJw5 for <openpgp@ietfa.amsl.com>; Fri, 17 Apr 2020 03:18:58 -0700 (PDT)
Received: from my.amazin.horse (my.amazin.horse []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 356E53A090D for <openpgp@ietf.org>; Fri, 17 Apr 2020 03:18:42 -0700 (PDT)
Received: from localhost (ip4d14cc04.dynamic.kabel-deutschland.de []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by my.amazin.horse (Postfix) with ESMTPSA id 538ED6B2FF for <openpgp@ietf.org>; Fri, 17 Apr 2020 12:18:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=my.amazin.horse; s=2020; t=1587118719; bh=gkdMUVAVN3poUHGLO9s8sRiBKgIeQiH6GoKhR7NDE8g=; h=Date:From:To:Cc:Subject; b=DeSzxZ1IN51aJ72fuTlIuzzDIcFw0J2JRo9WPCCN7BRRosWecFdqSDS2NPOaet2Oy LMR3ex21iFxA1YEsdoNgHgWHw70lbQ/hhcojxud63NpoCVYmwFJH7dHhvnoc2+1JB1 BVsbKd/hJ211nsA4BgfNfc++WmqlBDU1Hgpvtc0Q=
Message-Id: <3J6ZOTPGPXG6Y.2JRNW7TO2C5HZ@my.amazin.horse>
Date: Fri, 17 Apr 2020 12:18:30 +0200
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Vincent Breitmoser <look@my.amazin.horse>
To: openpgp@ietf.org
Autocrypt: addr=look@my.amazin.horse; keydata=mQINBFAB3UABEADCyB/vbIBA3m1Bwc yjTieEMLySwYgt54EQ2hglOocdtIhqC+b05t6sLSkwx2ukxrU2cegnCBkdyF/FZ/+Et638CUEBbf 4bjplwpt2IPLazQgjkwjMuhz0OcYDpMhwimTvh3mIl+0wzpOts6mEmMw0QZdl3RXvIW+NSynOn7q mz/fAv4Htt6lv2Ka0s6R2voyi+5U7CcIqizPad5qZVn2uxmovcFreTzFt6nk37ZbbTfvA3e5F0bR RQeH3viT5XxpJF4Y76v/Ua+5N3Kd18K0sX85rD1G7cmxR2CZ5gW1X24sDqdYZdDbf10N39UIwjJH PTeuVMQqry792Ap0Etyj135YFCE0loDnZYKvy2Y1i0RuEdTUIonIHrLhe2J0bXQGbQImHIyMgB9/ lva8D+yvy2gyf2vjRhmJEEco7w9FdzP7p3PhKrUiTjRsjHw8iV8LOCFx9njZOq9mism9ZZ16tZpx 9mXOf11HcH1RtVuyyQRS/4ytQPzwshXdSDDW6Btkmo9AbZQKC54/hSyzpp3Br2T2xDH7ecnonDB/ jv8rWuKXSTbX3xWAIrNBNDcTYaNe4jkms4HF7jJE19eRlqsXMMx6Fxvrh4TtKICwJYJ3AUmXrK3X Ti/mjqYfJ1fpBn54rWs8nhSR1fuZPD+aMlcP8BDUPlNKPKtj0DGSh3/VlnnwARAQABtClWaW5jZW 50IEJyZWl0bW9zZXIgPGxvb2tAbXkuYW1hemluLmhvcnNlPokCOAQTAQIAIgUCVTNZmgIbAwYLCQ gHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQe9GDIN6t+hHcVg//aeiijNqsQ3pjbFQn3VvND7hNfJ vrVcLZ+U4kOzXPF818aVdOnDyNXyE17vBDDcvaZ730sCsZIRZJ3KhUJ+nPvdttKjUIGLARmx+pA3 Jl3IIv2uLtOb3I0TMuyfIGJVGF+q10/CeDMKVjKlmyOVrR0opkel+KEoN7VLq3Hf3zPKENO1HBgp LHeP31tlb9cgs+u4o2wLrVe9myHbuFBW7EjWbSvdz2zliwbsFeFVLMNcWrKAU0GkkiH69SgnwmXU RkhGma4L27GLtkHHufsxfbcPqPtmtCttsGZU4EmrghGUqVyDOxnn8ZqybzLrRfpin+OCIX+aHJz5 r2L8qtrP0LorNMX3Gopd26vfhNvq/wq8xk++bW1R5FmkaUhx9h+DhO2ybcg7p/E8JHc8zrWv+bb3 0o9lkrOaU8GxXrgtb1cjtbb+MxFvjm0Elw7MSZDG7sF/APFU6cwuIA9Nai/OGAUCSt/W2ecS8Zox cWWbGSEiDvjtEctkpmHjfVuGoL34966Olm41VdH+NjgoSYUJKx4Mty8DRcZxdyoXll84LvDkEEYK ZqOIACsJf8CDFvUkmhXc+moCj15Yxtj3/RslRVEiOUyrpDwB72zWcZG8YnzoyGxhcRIc/gFejO/y SI8bzCpYngeuTb5NjFG+ChGiInHbQcFeHBlaHtKi2o/B5axIO5Ag0EVDvOgQEQALJby/ztliToGE u1lslvWQUQ6teKZVUQ7hy9bM4N83G0AGLatUBHtY6PkJBe4XkIw3sK7LoFCV2W4GSt4zWp9l+kG3 /J8Ow7EFjN0F7DrCg0M0lMg9dQz9jYSoBR8skaH3BRzCq9AKIVKV94poL/G65289L7zKDHoZnnyF qbBtedYZir0SZx+kiouZ1qnmxRPaYmH2fkuiuvYEAyzLDLYM8F5gQhdZM4YVtuvSICYPet0z4CDi JX/vZmDi3AzzoEVaKeAM/0H9f9Ni547J2+8dZSllgTrA+fq0aMJVScAObIxTAQtEq0DoNBzPpVrm W10b4bmgePrAvNkifqSr5StymSBgwvoeW6GrJiyN4XhoLOadZzwgjqioR1nXw5tXtrr5sYdkZ06b 1WWHkxtu1hFTdLC7RYNxY07ytLNM+C2lplCwCwlWB7RwI9BL1Dhre4kv8uaaX2Gksaq9mDf9MSDW qQ0TJ/RAiwMGmFrzBEYI1J2Oyeshi/dqW4/OiZAukOIlxOnt6u8zU2KL6Qjxqqna0oTbS4Zv3fRd YkuUCL6CDEJdkuRAiW+Gw+lKcMjXqApEqixhaDkoB/kwtu+2gIFTzAxMfwFN1YtNc0kJZWnFkGIW MrrwTcOwAFzlFz7wn/EyMFtg+ERcqMX0+olXDwM8MODI2+BzulPuEDEteCw09hABEBAAGJAh8EGA ECAAkFAlQ7zoECGwwACgkQe9GDIN6t+hFjuQ//UQyg49f8TytUYQaBb8R0UfI+KhQFs1Nsz2z8a3 0CD1MeiHHYWdAcomVvTkg4g5LbnYHVDrj/XagY3FN/AIE97usFbsTG+rsWAOLi7N2dN2ehWZ634k MvrgyC9uTiOdkw31+B8K5MpyySgD8e6SAzRfiu06/bcQOUyJifw8Hudpj9by4uyGhSH+kHu4afrp OduUighbsGFtcuRwwQ/w/oSk68XvPUgiOQWMZh/pVoXdFyFvrt/hgArCi8dfy5UPK58nl7jPnu/I uQXrJ50nNAFIIxPVeo2/B83KAnEZPU+qWZsdba0V+FIIQQVizLtQFMuJJk4/UTAOfJ2tBpQ9PADX 6/scqDE7unXNWdxcHTjK7KmWjXC8CyhGOx8V/rb7Ial4mZo4cTED6SNlO7dV1XYwnSctL2HCYNM3 RUe4eJ7JWuu7/Nbf6yip2eq7BQKZ9hAH/se/OSZNYsEkZ4pxUc8W5U3uAZImUwC6L74SM0jBZIuD mQhOYX6sZZ6urIn/MYlj4/hqSBFS4vTK7nXRLmtr7+5T5U5srVseUiYc+l9pu9/XD8zGIu+M2xEd 41NwP44GDQTQm0bFljRv5fSblwmi56YHPFQUIh2RZNX3kOJgeyQ3enw5uY+7ocKRVP38hpnffliL lJcO6TtHWnElS3pACbTQM0RHJox3zqU3q6K3c=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/XxZt89Eh7XUenuVRajbgtcWzWdA>
Subject: [openpgp] Requesting the editor to step down
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2020 10:19:00 -0000

Hi OpenPGP folks,

Five years ago, the OpenPGP working group was reopened. It was chartered as
a "crypto refresh" of OpenPGP, and a decision was consciously made to not add
features beyond that. The newly reopened working group strayed from this goal
quite a bit, got lost in a confused silence, and was closed again due to inactivity.
Despite the formal status of the working group as closed, rfc4880bis is still
being worked on. This work happens on this mailing list, but most of the actual
progress happens on the openpgp-wg/rfc4880bis repository on gitlab:
https://gitlab.com/openpgp-wg/rfc4880bis There have also been a couple of
releases of this spec as I-Ds, and it is used in practice as a reference by

Since the original reopening, the role of the editor has been held by Werner
Koch. The formal description of the Document Editor is described in [BCP25] as
"The Document Editor is responsible for ensuring that the contents of the
document accurately reflect the decisions that have been made by the working
group." Following this, I believe the following to be a reasonable set of
expectations towards an editor:

1. Communicate decisions and updates to the working group.
2. Foster cooperation.
3. Work out specification content from group consensus.

Myself and others have been increasingly dissatisfied with the way that all of
these expectations have not been met in the editing process of RFC4880bis. More
subtle attempts at communicating this have failed, which is why I am bringing
the issue up on this list.

I'd rather spare everyone the exercise, but it seems necessary to give a few
concrete examples of this dissatisfaction. Feel free to skip ahead.


The repository on gitlab currently has seven open merge requests, that have been
open for many months. Those range from trivial fixes for typos, to dkg's work on
User IDs and replacement of Revocation Keys, and a fix for a test vector(!) that
received no attention in six months.

On the other side of things, Werner commits his own changes directly to master,
sometimes without any communication.  A recent example from two weeks ago, was
the introduction of a new "key block subpacket":
Regardless of whether this mechanism is a good idea (it probably is), or whether
the spec wording is good (is "key block" the best term?), there was no attempt
made to find consensus about it, on this list or elsewhere. (This feature was
also implemented into GnuPG on the same day it was pushed to master in the spec,
and released as a backport into GnuPG 2.2.20 just a few days later.)

As noted above, the decision process of whether a proposal makes it into the
spec seems arbitrary at best. But even when consensus is achieved, the actual
editing process is haphazard. In August of 2019, dkg and myself worked out
a draft for "attested certifications". This work found some consensus on the ml
(including from Werner), and eventually led to a merge request:
When Justus Winter and Heiko Stamer reviewed this MR, they found an oddity about
the way that signatures were made, and also two typos.  Despite those issues
that obviously still required attention, Werner merged the MR, leaving no
comment and offering no follow-up.  The typos and cryptographic oddity of the
signature remain to this day.

Facilitation of cooperation has failed as well. On March 19th last year, Justus
Winter opened an issue on the repository saying that he could not build the spec
in its current form:
Six months after the issue was posted, Werner closed it with the single remark
"I can't replicate that."  dkg reopened the issue, noting that the toolchain
works only on Debian stretch (then already oldstable by a few months), but did
not in fact work on Debian stable. The ticket remains open to this day, even
though the issue itself was eventually resolved with a merge request from dkg
that converted the toolchain to kramdown.

This is not an exhaustive list. I tried to pick examples that illustrate their
points in a clear way, and hopefully relatively free of personal bias.


I appreciate the work Werner has put into RFC4880bis, and of course into OpenPGP
in general. However, a document that is published under the ietf-* namespace
bears a quality of officialness, and thus an expectation to reflect consensus of
the working group. The draft-ietf-openpgp-rfc4880bis-* documents do not, in my
opinion and that of several others I have talked to, meet this expectation.

In consequence, I formally request Werner Koch to step down from his position as
editor for the OpenPGP specification.

Of course, this means we will need a new editor. I'm confident that we can find
someone for this role, once the air has cleared a bit.

As a general thought for a way forward, I would suggest to restart work on
RFC4880bis conceptually, in the way it was originally chartered as a pure crypto
refresh.  A good starting point would be for a new editor to bring the original
RFC4880 into a modifiable state with a modern toolchain, to allow work on actual
set of patches going from 4880 to 4880bis. A portion of the changes made on
RFC4880bis so far certainly don't match the chartered "crypto refresh", so it
makes sense to cherry-pick from them in an ordered fashion, with a check for
consensus and implementation status.

I would further suggest to orient future work more on concrete proposals, i.e.
diffs against the spec. By explicitly asking contributors to submit and maintain
concrete patches as a basis for discussion, we encourage contributions that are
better thought out, continuously reflect the state of thinking, and can be
weighed against one another - or combined on their merits - more easily.

I apologize for bringing up this unpleasant topic. Thanks for reading, and

 - Vincent Breitmoser

[BCP25]: https://tools.ietf.org/html/bcp25#section-6.3