Re: [openpgp] Disadvantages of Salted Signatures

Stephan Verbücheln <> Mon, 11 December 2023 17:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 38F6CC14F60E for <>; Mon, 11 Dec 2023 09:40:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4xFHbrO7paKZ for <>; Mon, 11 Dec 2023 09:40:20 -0800 (PST)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id BBA5CC14CF17 for <>; Mon, 11 Dec 2023 09:39:39 -0800 (PST)
Received: from submission ( []) by (Postfix) with ESMTPS id CE965240028 for <>; Mon, 11 Dec 2023 18:39:37 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=2017; t=1702316377; bh=hSPW2aF4ThqmK0H7PE9XfEkDDvHYM0kD1tIcxoSWH7o=; h=Message-ID:Subject:From:To:Date:MIME-Version:From; b=chYrMdJECoUNBI9e01NyATIWTqfiWslIgZJKPiEJOikdGb8zDnW9Tt+iFWlAvYv+A fmyRjgzthlyiM6MnSvy4N3mgI0+AeBr+KvPVGfJYozOE9uusTOfELTQf74+IJCTbIf mh240Z47xSFUEp8ylwqJz1ZTRkwPb+ks1vYEH2oI0lwc2Ci/mKvl6TMmbyVo01iFj+ FUZIp8gdXJByHAdjsN06HWXcxNwkJO4H7opbctoX8Bpn/uIwC63zz9QByirCRpbi0U u4TCBLDf8Nd0Kj1x4IhfWMp7odqlIXYeDbVeowdaA9iLfB3zb56/WcpIEiJIPJqUFv H6Wa6j3YGT61g==
Received: from customer (localhost []) by submission ( with ESMTPSA id 4SppsP2LQkz9rxH for <>; Mon, 11 Dec 2023 18:39:37 +0100 (CET)
Message-ID: <>
From: Stephan Verbücheln <>
Date: Mon, 11 Dec 2023 17:39:36 +0000
In-Reply-To: <>
References: <> <> <> <> <> <>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-tDRQEK/7qYUkpKiOwTB4"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [openpgp] Disadvantages of Salted Signatures
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Dec 2023 17:40:24 -0000

Hi Andrew

On Mon, 2023-12-11 at 09:46 +0000, Andrew Gallagher wrote:
> I do not understand the stated interoperability issue. OpenPGP
> ensures interoperability with optional features by requiring the end
> user to advertise their ability to handle them using flags on their
> public key; without those flags other implementations MUST NOT use
> optional features in their correspondence. This has been the case for
> almost three decades now, and it has worked remarkably well.

There is not really such a thing as an “optional” feature. It is
optional for me to use it, but it is not really optional for a useful
PGP implementations to support it.
Interoperability is not just one person encrypting a message for
another person at a given time. PGP is more complicated. PGP keys are
used for a long time with multiple identities, subkeys etc. PGP-
encrypted data is stored even longer than the expiration of the keys.
When I want to read my decade old e-mail archive, I need my PGP
implementation to support every algorithm that any PGP implementation
from any device in my past has ever used.

> We lost that war twenty years ago. An entire generation has grown up
> for whom webmail == email. A small working group revising a niche
> (sorry, everyone!) standard is not going to make a dent in that.
> Given that end-user adoption of OpenPGP is voluntary, the default
> alternative to OpenPGP-enabled webmail is plaintext webmail. You need
> to meet people where they are.

Most people are not willing or able to do key management and that is
fine. They should better use one of the available end-to-end encrypted
messengers. PGP is for a niche indeed. But this niche matters a lot
more than people think.
PGP is used by security researchers to encrypt bug reports. It is used
by developers to sign Git commits and release tarballs. It is used by
Debian and Co. to secure package repositories and software updates. It
is used from Apple to Debian to sign official announcements. It is used
by Debian folks to identify each other.
A lot of people depend on these ecosystems, even when they are not
using it themselves for their personal e-mail.