Re: [openpgp] How to re-launch the OpenPGP WG

[Christoph Anton Mitterer <calestyo@scientia.net>]

On Fri, 2015-03-13 at 08:16 +0100, Werner Koch wrote:
> > - The WG should consider whether to just bring OpenPGP up to date... or
> >   whether to completely overhaul or even re-design it.
> The please give the thing another name.  Recall the outcry whn I removed
> PGP-2 support from 2.1.
Well I guess it happens very often that one has a very loud minority and
a silent majority.
Removing the support was definitely the right thing, especially since
it's still in the other branches.
All these very old keys are likely lather small (and thus weak) and
shouldn't be used therefore anymore.

IMO, security business can't really afford to always comfort those
living in the past and/or not doing their homework.
This model (leaving legacy stuff in for compatibility reasons) blew up
so often recently (RC4, SSL3, the export cipher suites, problematic CBC
mode usage in e.g. SSH)... these things should have been phased out long
ago, instead, people waited for questionable compatibility reasons way
too long until 5 past 12.

Someone who really wants security should have to suffer because of those
who want to keep old systems/alogs/etc., since the later anyway do not
really want security. 


> We already have this.  You may either use a plain user ID with signed
> attributes to implement this or, better
Well, as I've written before, using the plain UID packets in such ways
should IMHO be given up.

> extend the attribute packet,
> which is currently only used for photo ids, but designed for what you
> want.  You may already start with this using the 100--110 subpacket
> types.
Sure, just no one ever specified it, and thus no one every used it that way


> Regarding the rest of your mail, I think it is better to postpone a
> detailed discussion for now.
Fine,... it's now in the archives for the records =)


Cheers,
Chris.