Multiple OpenPGP implementations were involved in the crypto refresh, including Sequoia-PGP, OpenPGP.js, GopenPGP, and - at one point - RNP and even GnuPG itself, though those two stopped being involved at some point. GnuPG is now unhappy with some of the changes that were made after that point, which is their right. However, GnuPG is not the only implementation of OpenPGP, and not the only voice that matters. Various implementations have already implemented the crypto refresh (and personally I still hold out hope that eventually, GnuPG will do so as well, if this drama dies down and everyone can reconciliate).
The thing is that I've never even heard of any of those. When people talk about PGP they mean GnuPG. All of those other projects their purpose of existence is to be compatible with GnuPG. If compatibility wasn't a concern you'd just use something new like Age.
If I added to my litany of problems with PGP the fact that its advocates and user base believe that GnuPG is the PGP standard, I'd get dunked on. But I agree with you completely: GnuPG is the standard.
Further: I don't think this is intrinsically a bad thing. Other, more successful projects work this way, most notably WireGuard. You have to judge these things on the merits.
Even if you don't know them, (and pardon my arrogance,) OpenPGP.js and GopenPGP probably have many more end users than GnuPG, due to them being used by Proton Mail (among other products). However, that shouldn't actually matter, because..
> All of those other projects their purpose of existence is to be compatible with GnuPG.
That's not how the IETF process works. Technical arguments are more important than who has the most users.
> If compatibility wasn't a concern you'd just use something new like Age.
That being said, OpenPGP.js and GopenPGP do actually implement the old version of the draft (now dubbed "LibrePGP") as well (and everybody obviously still supports RFC4880), so there's no real risk of incompatibility. We just also implement the crypto refresh, and hope that GnuPG will do so as well, so that everyone can benefit from the improvements made there.
> Even if you don't know them, (and pardon my arrogance,) OpenPGP.js and GopenPGP probably have many more end users than GnuPG, due to them being used by Proton Mail (among other products).
Right, but I assume the point of Proton Mail using OpenPGP is so that mail sent by Proton Mail can actually be verified/decrypted by other systems that aren't Proton Mail? So compatibility with the widely known GnuPG is a goal. Otherwise the question remains, why PGP?
> That's not how the IETF process works
Sure, but it is how the real world works.
> That being said, OpenPGP.js and GopenPGP do actually implement the old version of the draft
So are you doing both? If you implement the crypto refresh and GnuPG doesn't then you lose compatibility, right? If you don't lose compatibility and are somehow doing both, then what's the point?
> So are you doing both? If you implement the crypto refresh and GnuPG doesn't then you lose compatibility, right? If you don't lose compatibility and are somehow doing both, then what's the point?
OpenPGP keys can signal support for various features and algorithms - such as AEAD modes. As one example, the crypto refresh specifies GCM (as optional to implement).
This means that, when sending email between Proton users and OpenPGP implementations that support that, we can use GCM - which has certain security and performance benefits.
If we send email between Proton users and GnuPG, we won't use GCM, so we won't lose compatibility, but users also won't benefit from those (and other) security and performance improvements.
Thank you for clarifying. I'd still be concerned about not being able to use the same key for proton mail and my desktop application, but that is more reasonable to deal with.
This is something I would want a subkey system to handle. Like it would be neat if you could have a masterkey that signs two separate keys and says "this is for proton" and "this separate key is for debian", in such a way that it's clear that they both belong to me.
> I'd still be concerned about not being able to use the same key for proton mail and my desktop application
Would it be possible to use different subkeys for each (a good idea in any case, since it would allow revoking them separately in case one of them is leaked)? I don't recall whether the packet with the features and algorithms support information is attached to the key or to the subkey.
It's possible to do both, however, the crypto refresh recommends setting the preferences on the entire key, and anything else isn't widely supported, I believe. Theoretically, you could have two versions of the key with different preferences (and different subkeys), but at that point you're probably better off having two entirely separate keys.
> I assume the point of Proton Mail using OpenPGP is so that mail sent by Proton Mail can actually be verified/decrypted by other systems that aren't Proton Mail?
My experience with Proton is that they really don't care anything about encryption or signatures except as they apply to emails between Proton users: http://jfloren.net/b/2023/7/7/0
More like... First there was GnuPG. Then people wanted interoperability with other implementations so OpenPGP happened, and then OpenPGP changes things to be incompatible with GnuPG.
Not to be pedantic but that's not how the history went. First there was PGP (the product), then that was turned into a standard (RFC2440, "OpenPGP Message Format"), and GnuPG implemented that.
Then, some (backwards-compatible) changes to the OpenPGP standard were proposed, and every implementation implemented them. (These were specified in RFC4880.)
Then, some (backwards-compatible) changes to the OpenPGP standard were proposed, and many implementations implemented them. (They never ended up in an RFC, but are now dubbed "LibrePGP".)
Then, some more (again backwards-compatible) changes were proposed, and many implementations implemented them, but not GnuPG, for now. (This is the crypto refresh. It should become an RFC soon.)
It's a shame GnuPG doesn't want to implement the crypto refresh at this time, but that shouldn't cause incompatibilities (if all implementations are conservative in what they generate). Messages sent between GnuPG and other implementations can still use RFC4880 (the old OpenPGP standard), they just won't benefit from the improvements in the crypto refresh, unfortunately.
