Plan B - Who carries the torch?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Plan B - Who carries the torch?

GnuPG - User mailing list
Hi all,

hope you all had a Happy New Year and that your are all healthy!

I am currently in the mood to discuss things here and there publicity
and regarding GnuPG and the OpenPGP ecosystem I was wondering about
the following.

I assume the following: Werner is globally known as the author of
GnuPG and it is generally accepted that GnuPG is a defacto security
standard globally besides S/MIME when it comes for example to private
email communications.

Werner, like me and a couple of others, as some may know are no longer
in their twenties so that it can be assumed, when in 10 years Google
and IBM have Quantum Computers, which make our classic encryption like
ECC probably useless that then people may have a problem.

I assume the worst case scenario that when Werner retires and starts
to enjoy life with his family and friends and let's say Andre would
change his career path who carries then the torch, so to speak? Would
dkg take over and do also gpg4win developement? My understanding is
that sequoia pgp, due to the fact that it is written in Rust may
probably see not it's light in major Linux distributions as an apt-get
option, or in case Casey would decide (once Hockeypuck is finished)
that he writes a Golang GnuPG that would be then distributed in major
Linux distros.

So, ladies and gentlemen any thoughts or insights which can be shared?

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Plan B - Who carries the torch?

GnuPG - User mailing list
> I assume the following: Werner is globally known as the author of
> GnuPG and it is generally accepted that GnuPG is a defacto security
> standard globally besides S/MIME when it comes for example to private
> email communications.

No.  OpenPGP is; GnuPG is just one implementation of the OpenPGP
standard.  There are others.

> in their twenties so that it can be assumed, when in 10 years Google
> and IBM have Quantum Computers, which make our classic encryption
> like
> ECC probably useless that then people may have a problem.

Quantum computing has been ten years away since 1992, which is when I
first heard about it.  I would be extraordinarily cautious about
believing the hype.  Getting enough qubits together to form the
necessary quantum logic is only a very small part of the overall
picture.  Read up on Grover's algorithm sometime, and think about just
how unreasonable the requirements are: they're so unreasonable as to
make the prospect of breaking crypto via Grover's actually _slower_
than the classical way.

> I assume the worst case scenario that when Werner retires and starts
> to enjoy life with his family and friends and let's say Andre would
> change his career path who carries then the torch, so to speak?

Who cares?

Seriously.  OpenPGP has survived as long as it has mostly by a miracle
involving the diligence of a handful of people, but in many ways it's
embarrassingly ... well, not obsolete.  Definitely obsolescent, though.
A cryppie at Johns Hopkins, Matthew Green, describes OpenPGP as a
showcase of the best cryptographical techniques of the mid-1990s, and
he's not wrong.

Someday, we'll decide OpenPGP has done enough and should be retired.
And that will be okay.  I hope that someone else comes along and works
on a newer standard using the best cryptographical techniques of the
2020s, and I hope this new standard breaks backwards compatibility with
OpenPGP.  Breaks it flagrantly, violently, and spectacularly.

> So, ladies and gentlemen any thoughts or insights which can be
> shared?

Yeah.  Less time worrying about how to make OpenPGP continue for
another twenty years, more time spent about how to make a next-
generation cryptographic tool that will occupy the same space OpenPGP
did but will do it better and with more modern techniques.



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Plan B - Who carries the torch?

GnuPG - User mailing list
On Sat, Jan 2, 2021 at 10:56 PM Robert J. Hansen <[hidden email]> wrote:

> > in their twenties so that it can be assumed, when in 10 years Google
> > and IBM have Quantum Computers, which make our classic encryption
> > like
> > ECC probably useless that then people may have a problem.
>
> Quantum computing has been ten years away since 1992, which is when I
> first heard about it.  I would be extraordinarily cautious about
> believing the hype.  Getting enough qubits together to form the
> necessary quantum logic is only a very small part of the overall
> picture.  Read up on Grover's algorithm sometime, and think about just
> how unreasonable the requirements are: they're so unreasonable as to
> make the prospect of breaking crypto via Grover's actually _slower_
> than the classical way.

Well, I do not follow any hype but you, as a well educated person
knows like many others, I strongly assume, that people interested
in this topic can play already with Quantum Computer Resistant
algorythms, freely available. Not only this, but when folks, I judge
as professionals in their field, are doing work related to this topic,
i.e. NIST [1] I guess it would not hurt to mention this. Last year,
for example, was the ECC conference and it was mentioned
that IBM and Google would be capable in ten years to have
Quantum Computers with a million qubits, or so and not only
a couple. Besides Quantum Computers I would guess that
also research in the field of other technologies are done,
wich can, as understood, rival Quantum Computers and
are cheaper to produce and to maintain. [2]

>
> > I assume the worst case scenario that when Werner retires and starts
> > to enjoy life with his family and friends and let's say Andre would
> > change his career path who carries then the torch, so to speak?
>
> Who cares?

For example me, and now maybe others ... :-)

> Seriously.  OpenPGP has survived as long as it has mostly by a miracle
> involving the diligence of a handful of people, but in many ways it's
> embarrassingly ... well, not obsolete.  Definitely obsolescent, though.
> A cryppie at Johns Hopkins, Matthew Green, describes OpenPGP as a
> showcase of the best cryptographical techniques of the mid-1990s, and
> he's not wrong.
>
> Someday, we'll decide OpenPGP has done enough and should be retired.
> And that will be okay.  I hope that someone else comes along and works
> on a newer standard using the best cryptographical techniques of the
> 2020s, and I hope this new standard breaks backwards compatibility with
> OpenPGP.  Breaks it flagrantly, violently, and spectacularly.
>
> > So, ladies and gentlemen any thoughts or insights which can be
> > shared?
>
> Yeah.  Less time worrying about how to make OpenPGP continue for
> another twenty years, more time spent about how to make a next-
> generation cryptographic tool that will occupy the same space OpenPGP
> did but will do it better and with more modern techniques.

Thank you very much for your thoughts, which I agree.

Question however remains, who will do this? Cypherpunks, for example,
are dead, which had IMHO a great influence in the past.

[1] <https://www.nist.gov/news-events/news/2019/01/nist-reveals-26-algorithms-advancing-post-quantum-crypto-semifinals>

[2] <https://go.gale.com/ps/anonymous?id=GALE%7CA600067976&sid=googleScholar&v=2.1&it=r&linkaccess=abs&issn=00280836&p=AONE&sw=w>

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Plan B - Who carries the torch?

GnuPG - User mailing list
In reply to this post by GnuPG - User mailing list

> My understanding is that sequoia pgp, due to the fact that it is written in Rust may
> probably see not it's light in major Linux distributions as an apt-get option

While it's true that Rust crates aren't straightforward to package in Debian,
sequoia-the-library in version 1.0.0 is indeed packaged in Debian bullseye as of
2020-12-16, so should make its way through the apt ecosystem through the year.

https://packages.debian.org/testing/source/rust-sequoia-openpgp

https://sequoia-pgp.org/blog/2020/12/16/202012-1.0/

 - V


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Plan B - Who carries the torch?

GnuPG - User mailing list
On Mon, Jan 4, 2021 at 3:27 PM Vincent Breitmoser via Gnupg-users
<[hidden email]> wrote:

>
>
> > My understanding is that sequoia pgp, due to the fact that it is written in Rust may
> > probably see not it's light in major Linux distributions as an apt-get option
>
> While it's true that Rust crates aren't straightforward to package in Debian,
> sequoia-the-library in version 1.0.0 is indeed packaged in Debian bullseye as of
> 2020-12-16, so should make its way through the apt ecosystem through the year.
>
> https://packages.debian.org/testing/source/rust-sequoia-openpgp
>
> https://sequoia-pgp.org/blog/2020/12/16/202012-1.0/

Ah, cool. I was not (yet) aware of it. And seeing dkg listed as a
package maintainer is a bonus too, IMHO. :-)

Best regards
Stefan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Plan B - Who carries the torch?

Bernhard Reiter-7
In reply to this post by GnuPG - User mailing list
Hi everybody,

== who could continue development?

Beside other options already mentioned,

a) there is a charity https://gnupg.org/verein/
which currently is small with some of the already known people,
and only starts to do a few small things, but at a legal
entity it has some personal reserves that could be broadened.

b) g10code GmbH is also a legal entity and has some more employees than Werner
and Andre. If demand is high enough, one of those organisations can pick up.
(So you know: I am with GnuPG e.V. and my company Intevation
works together with g10code on Gpg4win. We offer paid support
for all available Free Software products in principle. So to me that is more
of a long term funding problem.)

Because GnuPG/Gpg4win is completely Free Software, many companies, or other
organisations can pick up its development.


== about its usefulness:

Personally I believe GnuPG, OpenPGP and email to important and on the course
to stay for many years. Main reasons are:
a) email use has not gone down. It is one of the remaining really decentral
systems.
b) And it has become and stays an identity anchor for the majority of internet
based services. For this function public keyservers (decentral, carrying
signatures) are important (to complement some use cases).

Regards,
Bernhard

--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (673 bytes) Download Attachment