Way back, there was a rambling and expansive process to update the OpenPGP standard. Years. So eventually it was decided to do a more focused "crypto refresh" that would be restricted to just important cryptography concerns. The GnuPG program was part of this. During the process the head of the GnuPG project (Werner Koch) spent a lot of time pushing back against what he considered pointless or wrongheaded changes. Eventually things seemed to stabilize and there seemed to be a consensus and people started paying less attention. Koch was one of those people.
The process then wound up again and a bunch of stuff that Koch opposed ended up in the standards draft. Koch eventually noticed and ended up taking the position that the GnuPG project would not follow the new changes and would instead stay where they were.
I think the very best outcome here would be if the various entities would accept that the process is working to the extent of clearly showing that consensus has not been reached and can't be reached from this point. The process will have to start yet again. The root cause here seems to be that there is no real serious issue with the existing standard, so attempts to update it lack a focus. As a result there is a tendency to try to change everything.
Worth noting is that the choice to move on with the rfc process was made very deliberately: there was a large thread on the mailing list to try and find a compromise. In this discussion, Werner Koch's negotiation standpoint basically required things to go 100% his way. The choices for the working group chairs ultimately boiled down to:
1. Closing down the wg with no result.
2. Moving on as a mostly functioning working group, at the cost of leaving Werner/GnuPG in the rough.
3. Reverting everything to the way Werner preferred.
None of those were great options, obviously.
Note that for option 3, the draft that is now LibrePGP and which was edited by Werner until circa 2020, had spectacularly failed to gather support and achieve consensus back then, and effectively stalled the working group for years. The LibrePGP project now claims that this draft was "the last consensus" of the working group, but at that time the reality was that Werner had gotten pretty used to just committing to master of the spec draft whatever he felt like, instead of seeking group consensus.
At the moment there doesn't seem to be a chance for the parties to come to an agreement. I'm curious to see how this develops.
People should agree that if there is no consensus reachable within the group of experts, an external advisor (e.g. Bruce Schneier, Ross Anderson) should be consulted. They may not be automatically "right", but such an agreement could re-stablish focus and avoid division or, worse, ending the worthwhile group's activities.
Nothing is worse than open source people not reaching consensus and moving on, because nothing will make the enemy of privacy more happy.
The IETF aims for rough consensus [1][2], rather than full consensus. The OpenPGP Working Group chairs have deemed that GnuPG is "in the rough" of the rough consensus [3], and that there is sufficient consensus on the crypto refresh to publish it as an RFC. If GnuPG disagrees with that outcome, they can appeal it. That would be the normal "process" to follow, which - to my knowledge - hasn't happened yet.
As for lacking focus, I'm obviously biased as one of the authors of the document, but the charter of the crypto refresh [4] was rather narrow, and aimed at modernizing the cryptographic primitives in OpenPGP. That's what the crypto refresh focused on; e.g. see [5].
Rough consensus doesn't have to include the people actually running the project? That sounds like a great way to publish standards that will be ignored by everyone...
Multiple OpenPGP implementations were involved in the crypto refresh, including Sequoia-PGP, OpenPGP.js, GopenPGP, and - at one point - RNP and even GnuPG itself, though those two stopped being involved at some point. GnuPG is now unhappy with some of the changes that were made after that point, which is their right. However, GnuPG is not the only implementation of OpenPGP, and not the only voice that matters. Various implementations have already implemented the crypto refresh (and personally I still hold out hope that eventually, GnuPG will do so as well, if this drama dies down and everyone can reconciliate).
The thing is that I've never even heard of any of those. When people talk about PGP they mean GnuPG. All of those other projects their purpose of existence is to be compatible with GnuPG. If compatibility wasn't a concern you'd just use something new like Age.
If I added to my litany of problems with PGP the fact that its advocates and user base believe that GnuPG is the PGP standard, I'd get dunked on. But I agree with you completely: GnuPG is the standard.
Further: I don't think this is intrinsically a bad thing. Other, more successful projects work this way, most notably WireGuard. You have to judge these things on the merits.
Even if you don't know them, (and pardon my arrogance,) OpenPGP.js and GopenPGP probably have many more end users than GnuPG, due to them being used by Proton Mail (among other products). However, that shouldn't actually matter, because..
> All of those other projects their purpose of existence is to be compatible with GnuPG.
That's not how the IETF process works. Technical arguments are more important than who has the most users.
> If compatibility wasn't a concern you'd just use something new like Age.
That being said, OpenPGP.js and GopenPGP do actually implement the old version of the draft (now dubbed "LibrePGP") as well (and everybody obviously still supports RFC4880), so there's no real risk of incompatibility. We just also implement the crypto refresh, and hope that GnuPG will do so as well, so that everyone can benefit from the improvements made there.
> Even if you don't know them, (and pardon my arrogance,) OpenPGP.js and GopenPGP probably have many more end users than GnuPG, due to them being used by Proton Mail (among other products).
Right, but I assume the point of Proton Mail using OpenPGP is so that mail sent by Proton Mail can actually be verified/decrypted by other systems that aren't Proton Mail? So compatibility with the widely known GnuPG is a goal. Otherwise the question remains, why PGP?
> That's not how the IETF process works
Sure, but it is how the real world works.
> That being said, OpenPGP.js and GopenPGP do actually implement the old version of the draft
So are you doing both? If you implement the crypto refresh and GnuPG doesn't then you lose compatibility, right? If you don't lose compatibility and are somehow doing both, then what's the point?
> So are you doing both? If you implement the crypto refresh and GnuPG doesn't then you lose compatibility, right? If you don't lose compatibility and are somehow doing both, then what's the point?
OpenPGP keys can signal support for various features and algorithms - such as AEAD modes. As one example, the crypto refresh specifies GCM (as optional to implement).
This means that, when sending email between Proton users and OpenPGP implementations that support that, we can use GCM - which has certain security and performance benefits.
If we send email between Proton users and GnuPG, we won't use GCM, so we won't lose compatibility, but users also won't benefit from those (and other) security and performance improvements.
Thank you for clarifying. I'd still be concerned about not being able to use the same key for proton mail and my desktop application, but that is more reasonable to deal with.
This is something I would want a subkey system to handle. Like it would be neat if you could have a masterkey that signs two separate keys and says "this is for proton" and "this separate key is for debian", in such a way that it's clear that they both belong to me.
> I'd still be concerned about not being able to use the same key for proton mail and my desktop application
Would it be possible to use different subkeys for each (a good idea in any case, since it would allow revoking them separately in case one of them is leaked)? I don't recall whether the packet with the features and algorithms support information is attached to the key or to the subkey.
It's possible to do both, however, the crypto refresh recommends setting the preferences on the entire key, and anything else isn't widely supported, I believe. Theoretically, you could have two versions of the key with different preferences (and different subkeys), but at that point you're probably better off having two entirely separate keys.
> I assume the point of Proton Mail using OpenPGP is so that mail sent by Proton Mail can actually be verified/decrypted by other systems that aren't Proton Mail?
My experience with Proton is that they really don't care anything about encryption or signatures except as they apply to emails between Proton users: http://jfloren.net/b/2023/7/7/0
More like... First there was GnuPG. Then people wanted interoperability with other implementations so OpenPGP happened, and then OpenPGP changes things to be incompatible with GnuPG.
Not to be pedantic but that's not how the history went. First there was PGP (the product), then that was turned into a standard (RFC2440, "OpenPGP Message Format"), and GnuPG implemented that.
Then, some (backwards-compatible) changes to the OpenPGP standard were proposed, and every implementation implemented them. (These were specified in RFC4880.)
Then, some (backwards-compatible) changes to the OpenPGP standard were proposed, and many implementations implemented them. (They never ended up in an RFC, but are now dubbed "LibrePGP".)
Then, some more (again backwards-compatible) changes were proposed, and many implementations implemented them, but not GnuPG, for now. (This is the crypto refresh. It should become an RFC soon.)
It's a shame GnuPG doesn't want to implement the crypto refresh at this time, but that shouldn't cause incompatibilities (if all implementations are conservative in what they generate). Messages sent between GnuPG and other implementations can still use RFC4880 (the old OpenPGP standard), they just won't benefit from the improvements in the crypto refresh, unfortunately.
It is a similar position as with chromium and web standards. Doing stuff without their agreement is kinda pointless in the same way, but if they aren't gonna cooperate what are you gonna do, give up and just do whatever they want?
Examples? Specifically, old potentially vulnerable ciphers that would actually allow the NSA to crack encrypted emails? IDEA and 3DES for example are perfectly secure for that usage. ... and just having something in the standard is not going to force anyone to use it. These days it is all AES and RSA or Curve25519.
> IDEA and 3DES for example are perfectly secure for that usage.
I wouldn’t use the phrase “perfectly secure”. They are both 64-bit block ciphers so vulnerable to generic collision attacks like https://sweet32.info/. This is why NIST deprecated 3DES and reduced the allowed limit of data encrypted with a single key to 2^20 blocks = 8MB. Many emails with attachments exceed that size.
Now, you may say that such attacks are largely theoretical and the actual amount of (known plaintext) that needs to be captured is much larger in practice, but this is quite a step from “perfectly secure”, especially when you are considering the NSA as your adversary.
I can't find any indication that this has transitioned from the proposal stage to an actual recommendation. But at any rate, this proposal is based on sweet32[1] which was a oracle attack which required 785 GB of traffic to demonstrate. Off the top of my head, recommendations for things like email (and file encryption), which are not vunerable to that sort of oracle attack, suggest a maximum for 64 bit block length ciphers of something like 4 GB. Email tends to be a maximum of 50 MB. That would be after base64 encoding.
Yes, it became part of the standard in rev 2. 3DES will be completely forbidden for federal use after the end of the year. Sweet32 was a demo, attacks get better. And there are other generic attacks against overuse of 64-bit blockciphers. Outside of a few usecases in constrained environments there’s no good reason to use a 64-bit blockcipher anymore (and there are better choices than DES/IDEA for those cases).
Just to be clear, you are asking how all this evidence refutes your totally unsupported assertion that 3DES is “perfectly secure” against the NSA? When even the NSA, who co-designed DES in the first place, forbid its continued use?
Way back, there was a rambling and expansive process to update the OpenPGP standard. Years. So eventually it was decided to do a more focused "crypto refresh" that would be restricted to just important cryptography concerns. The GnuPG program was part of this. During the process the head of the GnuPG project (Werner Koch) spent a lot of time pushing back against what he considered pointless or wrongheaded changes. Eventually things seemed to stabilize and there seemed to be a consensus and people started paying less attention. Koch was one of those people.
The process then wound up again and a bunch of stuff that Koch opposed ended up in the standards draft. Koch eventually noticed and ended up taking the position that the GnuPG project would not follow the new changes and would instead stay where they were.
I think the very best outcome here would be if the various entities would accept that the process is working to the extent of clearly showing that consensus has not been reached and can't be reached from this point. The process will have to start yet again. The root cause here seems to be that there is no real serious issue with the existing standard, so attempts to update it lack a focus. As a result there is a tendency to try to change everything.