Re: [openpgp] Backwards compatibility

Paul Wouters <> Thu, 19 October 2023 16:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 77DC8C151552 for <>; Thu, 19 Oct 2023 09:00:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.405
X-Spam-Status: No, score=-4.405 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id I7n_HWJCYD9y for <>; Thu, 19 Oct 2023 08:59:59 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 15C49C14CE4B for <>; Thu, 19 Oct 2023 08:59:58 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id 4SBC8s0BgZz3Bv; Thu, 19 Oct 2023 17:59:57 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1697731197; bh=r0+jLZFIPTzrpbHBd4NX/BbsRdvx+cJWbUchV0ExhPA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=dHEl3PRCf8QjXFVc07/Vty1+gXe0KU3IPMNCvq93Fq724iQfA2fnu1LoKXO/ZUnr2 YJez1HxdiM/zO7LqepNm9shIMT+/IoMCYQ2bfdXCSiGvgp2qy7nUefyAID/JdZftW/ 2JDmqcKnx+DTKB2g4fW4f8zzAownkrhUcLp4PJvM=
X-Virus-Scanned: amavisd-new at
Received: from ([IPv6:::1]) by localhost ( [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id WiW0kmKpuD9H; Thu, 19 Oct 2023 17:59:55 +0200 (CEST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS; Thu, 19 Oct 2023 17:59:55 +0200 (CEST)
Received: by (Postfix, from userid 1000) id 669E31098D5C; Thu, 19 Oct 2023 11:59:54 -0400 (EDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 637DE1098D5B; Thu, 19 Oct 2023 11:59:54 -0400 (EDT)
Date: Thu, 19 Oct 2023 11:59:54 -0400
From: Paul Wouters <>
To: Werner Koch <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <>
Subject: Re: [openpgp] Backwards compatibility
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Oct 2023 16:00:03 -0000

On Thu, 19 Oct 2023, Werner Koch wrote:

> On Wed, 18 Oct 2023 14:18, Paul Wouters said:
>> Discussion can be found here:
> A discussion in commit logs is not a discussion in the WG.  Commit logs
> as well as discussions in bug trackers are pretty in-transparent for
> participants of the WG because you need to actively monitor all bugs
> instead of following the mail threads.

I was being helpful so you can make your issues more concrete. From a
process point of view, individuals discuss on the mailinglist and use the
publication of drafts and draft differences to discuss concrete issues on
the list. You stopped doing that for more than a year. Coming back after
such a long hiatus and claim "every change is bad, drop this document"
is not feedback the WG can do anything with. If you vanish and not give
feedback during the process, the onus is on you to come with specific
argued proposals for changes. In case that is difficult for you to do
based on reading the latest draft and the openpgp mailing list archive,
I gave some helpful suggestions that might help you further trace the
decisions of the WG in greater detail via issue tracker items and commit

This WG has been rather meticulous in documenting every decision about
every line of text. This extra data should greatly assist you in
catching up to the WG and the various drafts it submitted.

>> I'm sure the CFRG would be interested in hearing about GCM attacks.
> I don't think the cons of GCM and other counter mopdes need to be
> repeated.

You have been in the rough of consensus on the topic of adding a non-MTI
of AES_GCM. If you have no further issues you would like to raise, then
I will consider this round of your feedback as processed with no further
need for changes.

>> be used by those who want and those who do not want AES_GCM, and the
>> complexity of a code point in addition to EAX and OCB is well, miniscule.
> This was the major reason to drop the deployed format and introduce a
> the HKDF.

I believe by "deployed format", you mean an earlier draft of 4880bis?
This "deployment" of your software was behind an optional argument
and not deployed by default. Which it should have been because it was
a draft and not a published RFC and subject to change. However, you
then choose to change this to become the new default, and other places
(like RHEL/Fedora) had to undo this change in your software, eg:

commit 146a5fe7ef862a957ef6ac35a4ec2c6308eca0f3
Author: Jakub Jelen <>
Date:   Thu Feb 9 16:38:58 2023 +0100

     Revert the introduction of the RFC4880bis draft into defaults

I feel that the deployment damage, insofar introduced, has been caused
by gnupg and not the WG. And that deployment damage has mostly been
countered by downstream patched of Linux Distributions. I do not believe
the WG needs to take this "deployment damage" into account.

If you have technical arguments as to why the HKDF is not the right
method to support AES_GCM and have a counter proposal, please share
it with the WG and explain why your proposal is better than the
current draft text.

>> I find it hard to believe that all other IETF protocols can safety
>> support AES_GCM, but not OpenPGP.
> PGP has had always higher standards than committee driven protocols and
> tried to do the Right Thing.

This draft is OpenPGP, not PGP. The first OpenPGP RFC was published in
1998. I think it is safe to say that all modern deployments of PGP are
using OpenPGP, and this committee driven protocol has been successfully
deployed and updated over time within the IETF. This draft document has
continued development using the IETF standards process.

Again, if you have any specific items for us to discuss, I and I'm
the sure others in the WG, are happy to do so. But the WG cannot really
act on blanket statements of "this document should not published".

If you feel our consensus calls have not sufficiently taken your input
into acocunt, please look at the IETF Appeal Process. A summary of which
can be found at