Wait a minute, are you saying that running code comes first, and specs are meant to play catch up? At the beginning of the standardisation process that makes a ton of sense, but once the standard is established, it should take precedence.
To repeat something I've said before: I'm not a GnuPG insider. I don't
want to be one. I'm not part of this argument (despite some people in
the RFC9580 camp occasionally loudly declaring I am).
What follows here is my best understanding of what happened, *speaking
as an outsider*.
In the very beginning there's no choice but to simply document how
existing code works. Once conformance with that initial spec is reached,
vendors are encouraged to extend the spec however they see useful, so
long as (a) existing conformance with the spec is upheld, and (b) they
publicly share their proposed extensions to the spec so the community
can discuss them.
RFC4880 was getting a bit long in the tooth. New extensions were
necessary. Werner behaved responsibly here by preserving strict RFC4880
compliance (the "--rfc4880" flag) and bringing his changes to the
Working Group (the "WG") for community deliberation. Over time multiple
technical addenda were officially added to the spec: following normal
practice, there were called "bis" releases (from the French "encore" or
"repeat").
LibrePGP is effectively RFC4880-bis-10, I think, dating from July 2016
or so. RFC4880 was published in 2007, so Werner had been extending the
spec *and fully cooperating with the process* for nine years.
Over those nine years GnuPG picked up a lot of users and became the most
commonly used RFC4880 and RFC4880bis implementation out there.
A few years ago there came a point where the WG needed to decide whether
to say "RFC4880-bis-10 is going to be the end of our experiments, this
is going to be the long-term release going forward", or ... something else.
The WG decided, in essence, the past nine years of -bis releases should
be seen as mere experimentation -- never minding the fact many many
users depend on GnuPG supporting the -bis series. They would instead
start fresh from a clean sheet of paper using lessons learned from
almost twenty years of RFC4880 use, and -- most controversially --
breaking backwards compatibility with the RFC4880-bis series ("LibrePGP").
RFC9580 is what they came up with instead. It is a good spec. It was
designed by competent, knowledgeable people. But there's also next to no
userbase for RFC9580 right now, as opposed to the vastly larger LibrePGP
userbase.
On the one side you have Werner saying, "I fully cooperated with the WG
for years and all these extensions were developed in collaboration with
the WG, now you're expecting me to tell millions of users who relied on
RFC4880-bis-10 being the next standard that no, they have to do
something else?!"
And on the other side you have people saying, "it was unwise for you to
encourage users to migrate to something that hadn't yet been
standardized, and we're not going to apologize for at the very last
minute deciding to release a better spec."
Promoting the standard instead of your particular implementation is commendable. On the flip side, doing so strongly implies a promiseto follow those specs going forward.
Werner did. He promised RFC2440 support and delivered on that. As RFC2440 evolved through -bis releases he tracked those. When the last RFC2440-bis became RFC4880 support he tracked that. He has a quarter- century history of tracking the evolution of the specs very closely. When a new spec was released, RFC9580, that's when the schism occurred. GnuPG does not support RFC9580.
To most people outside the GnuPG project, it's crystal clear OpenPGP is the mainline.
99% of people outside the GnuPG project have no idea what either OpenPGP or LibrePGP are and don't care. Of all humanity's billions a few million, at most, track this stuff. Nobody has ever asked me for my RFC9580 certificate. (Yes, I have one. Yes, I would cheerfully use it if anyone asked.) A few people a year pull down my LibrePGP certificate through the Web Key Directory. Proton Mail has RFC9580 support in their back-end, but also support RFC4880-bis-10. There's one for-pay email app in the Apple Store that claims RFC9580 conformance. I am unaware of any open-source email clients with RFC9580 support. Thunderbird is by far the most commonly used *PGP email client. They use the LibRNP library, which has said they'll follow LibrePGP. Evolution also supports GnuPG through a complex set of custom C code, last I looked (which wasn't recently): I doubt they're going to be willing to yank it all out to replace it with Sequoia.
confused when they find GnuPG has stopped complying with OpenPGP (if it ever has).
RFC2440 was published in '98, and GnuPG came into full compliance with it in '99, I think. It *stayed* in full compliance until July 2024, when RFC9580 was published. Please don't insult Werner's quarter-century of hard work.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
