[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenPGP should be called ClosedPGP

One of the things to remember about 2440 -- and stated in the document
abstract -- is that it isn't a how-to guide for writing an application.
It's a description of how the data is laid out, and (more or less) what it
means. It is "OpenPGP Formats" not "OpenPGP Implementation Guide."

Lots of things are assumed in the document. For example, it's assumed you
know what a cipher is. Many of the references to ciphers are pretty terse,
and I know I wouldn't want to implement from it and it alone. Just last
week, for example, someone pointed out to me that the reference for
Triple-DES was dangling. We all looked around for a good reference to 3DES,
and didn't come up with one! I was sure there was some RFC for it, myself,
and there isn't. This is amusing, since 3DES is the cross-group defacto
meta-standard algorithm in the IETF, and yet we don't have a good place to
say, "Hey, here's how 3DES is done." I changed the 2440bis reference to
point to Schneier, which is better than nothing, but still not great. As we
find those things, we'll shoot them.

Furthermore, there are things that we have agreed *not* to discuss here. A
close reading of 2440 will display references to key servers, trust, and
other things that are beyond its scope. Trust, in particular, is something
that the working group agreed not to put into 2440. At that time, we agreed
to let people write informational RFCs on various trust models. If someone
wants to write an informational RFC, that's a good one.

We've also discussed having implementation guides. That is also something
that would be great to do. But I don't think you should do an annotated
2440 or a re-organized one. We want to get to Standard as quickly as
possible, and there's already been a lot of work getting everyone to agree
that what we have is reasonable, if not perfect.