Quantcast

[gnutls-devel] openpgp removal

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[gnutls-devel] openpgp removal

Nikos Mavrogiannopoulos-2
Hi Ludo,
 After considering the quality of the OpenPGP support in gnutls, I've
decided to speed up the OpenPGP deprecation originally planned in [0].
I've marked all functions as deprecated and modified the manual to
list the reasons the openpgp certificate support should not be used in
[1]. However, there are some references to OpenPGP in the Guile manual
as well. Is it ok to remove them?

regards,
Nikos

[0]. https://gitlab.com/gnutls/gnutls/issues/102
[1]. https://gitlab.com/gnutls/gnutls/merge_requests/224

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] openpgp removal

Ludovic Courtès-3
Hi Nikos,

Nikos Mavrogiannopoulos <[hidden email]> skribis:

>  After considering the quality of the OpenPGP support in gnutls, I've
> decided to speed up the OpenPGP deprecation originally planned in [0].
> I've marked all functions as deprecated and modified the manual to
> list the reasons the openpgp certificate support should not be used in
> [1]. However, there are some references to OpenPGP in the Guile manual
> as well. Is it ok to remove them?

Yes, sure.

I’m disappointed to see OpenPGP support go away, because that’s one of
the things that brought me into GnuTLS back in the day, but I can
understand your concerns as a maintainer.

Thanks,
Ludo’.

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] openpgp removal

Nikos Mavrogiannopoulos-2
On Sat, Jan 14, 2017 at 6:14 PM, Ludovic Courtès <[hidden email]> wrote:

>>  After considering the quality of the OpenPGP support in gnutls, I've
>> decided to speed up the OpenPGP deprecation originally planned in [0].
>> I've marked all functions as deprecated and modified the manual to
>> list the reasons the openpgp certificate support should not be used in
>> [1]. However, there are some references to OpenPGP in the Guile manual
>> as well. Is it ok to remove them?
> Yes, sure.
>
> I’m disappointed to see OpenPGP support go away, because that’s one of
> the things that brought me into GnuTLS back in the day, but I can
> understand your concerns as a maintainer.

I think it is time to admit that OpenPGP authentication for TLS led
nowhere. Although I initially expected to improve web applications,
and even more custom applications by providing a simpler verification
of trust, neither of these categories benefited in practice. The web
of trust push by pgp/gpg, proved to be too complex to deploy on the
scale of Internet. When OpenPGP certificates were used with gnutls
they were used only as an alternative format for certificates, which
was neither simpler nor better than X.509.

regards,
Nikos

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] openpgp removal

Ludovic Courtès-3
Nikos Mavrogiannopoulos <[hidden email]> skribis:

> On Sat, Jan 14, 2017 at 6:14 PM, Ludovic Courtès <[hidden email]> wrote:
>>>  After considering the quality of the OpenPGP support in gnutls, I've
>>> decided to speed up the OpenPGP deprecation originally planned in [0].
>>> I've marked all functions as deprecated and modified the manual to
>>> list the reasons the openpgp certificate support should not be used in
>>> [1]. However, there are some references to OpenPGP in the Guile manual
>>> as well. Is it ok to remove them?
>> Yes, sure.
>>
>> I’m disappointed to see OpenPGP support go away, because that’s one of
>> the things that brought me into GnuTLS back in the day, but I can
>> understand your concerns as a maintainer.
>
> I think it is time to admit that OpenPGP authentication for TLS led
> nowhere. Although I initially expected to improve web applications,
> and even more custom applications by providing a simpler verification
> of trust, neither of these categories benefited in practice. The web
> of trust push by pgp/gpg, proved to be too complex to deploy on the
> scale of Internet. When OpenPGP certificates were used with gnutls
> they were used only as an alternative format for certificates, which
> was neither simpler nor better than X.509.

IMO it was “better” than X.509 in that it did not impose a centralized
model with its “authorities”, which to me is fundamentally flawed.

I never thought OpenPGP authentication would displace X.509 on “the Web”
but I thought it was a nice model to build upon for peer-to-peer-style
applications (what I looked at in my PhD thesis at the time).

That said, over time I’ve also become more skeptical of stretching
OpenPGP to such use cases, which are not what it was designed for.

Anyway, thank you for launching this experiment quite a few years ago!
:-)

Ludo’.

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Loading...