Mailing List Archive

> I assume the following: Werner is globally known as the author of
> GnuPG and it is generally accepted that GnuPG is a defacto security
> standard globally besides S/MIME when it comes for example to private
> email communications.

No. OpenPGP is; GnuPG is just one implementation of the OpenPGP
standard. There are others.

> in their twenties so that it can be assumed, when in 10 years Google
> and IBM have Quantum Computers, which make our classic encryption
> like
> ECC probably useless that then people may have a problem.

Quantum computing has been ten years away since 1992, which is when I
first heard about it. I would be extraordinarily cautious about
believing the hype. Getting enough qubits together to form the
necessary quantum logic is only a very small part of the overall
picture. Read up on Grover's algorithm sometime, and think about just
how unreasonable the requirements are: they're so unreasonable as to
make the prospect of breaking crypto via Grover's actually _slower_
than the classical way.

> I assume the worst case scenario that when Werner retires and starts
> to enjoy life with his family and friends and let's say Andre would
> change his career path who carries then the torch, so to speak?

Who cares?

Seriously. OpenPGP has survived as long as it has mostly by a miracle
involving the diligence of a handful of people, but in many ways it's
embarrassingly ... well, not obsolete. Definitely obsolescent, though.
A cryppie at Johns Hopkins, Matthew Green, describes OpenPGP as a
showcase of the best cryptographical techniques of the mid-1990s, and
he's not wrong.

Someday, we'll decide OpenPGP has done enough and should be retired.
And that will be okay. I hope that someone else comes along and works
on a newer standard using the best cryptographical techniques of the
2020s, and I hope this new standard breaks backwards compatibility with
OpenPGP. Breaks it flagrantly, violently, and spectacularly.

> So, ladies and gentlemen any thoughts or insights which can be
> shared?

Yeah. Less time worrying about how to make OpenPGP continue for
another twenty years, more time spent about how to make a next-
generation cryptographic tool that will occupy the same space OpenPGP
did but will do it better and with more modern techniques.



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Sat, Jan 2, 2021 at 10:56 PM Robert J. Hansen <rjh@sixdemonbag.org> wrote:

> > in their twenties so that it can be assumed, when in 10 years Google
> > and IBM have Quantum Computers, which make our classic encryption
> > like
> > ECC probably useless that then people may have a problem.
>
> Quantum computing has been ten years away since 1992, which is when I
> first heard about it. I would be extraordinarily cautious about
> believing the hype. Getting enough qubits together to form the
> necessary quantum logic is only a very small part of the overall
> picture. Read up on Grover's algorithm sometime, and think about just
> how unreasonable the requirements are: they're so unreasonable as to
> make the prospect of breaking crypto via Grover's actually _slower_
> than the classical way.

Well, I do not follow any hype but you, as a well educated person
knows like many others, I strongly assume, that people interested
in this topic can play already with Quantum Computer Resistant
algorythms, freely available. Not only this, but when folks, I judge
as professionals in their field, are doing work related to this topic,
i.e. NIST [1] I guess it would not hurt to mention this. Last year,
for example, was the ECC conference and it was mentioned
that IBM and Google would be capable in ten years to have
Quantum Computers with a million qubits, or so and not only
a couple. Besides Quantum Computers I would guess that
also research in the field of other technologies are done,
wich can, as understood, rival Quantum Computers and
are cheaper to produce and to maintain. [2]

>
> > I assume the worst case scenario that when Werner retires and starts
> > to enjoy life with his family and friends and let's say Andre would
> > change his career path who carries then the torch, so to speak?
>
> Who cares?

For example me, and now maybe others ... :-)

> Seriously. OpenPGP has survived as long as it has mostly by a miracle
> involving the diligence of a handful of people, but in many ways it's
> embarrassingly ... well, not obsolete. Definitely obsolescent, though.
> A cryppie at Johns Hopkins, Matthew Green, describes OpenPGP as a
> showcase of the best cryptographical techniques of the mid-1990s, and
> he's not wrong.
>
> Someday, we'll decide OpenPGP has done enough and should be retired.
> And that will be okay. I hope that someone else comes along and works
> on a newer standard using the best cryptographical techniques of the
> 2020s, and I hope this new standard breaks backwards compatibility with
> OpenPGP. Breaks it flagrantly, violently, and spectacularly.
>
> > So, ladies and gentlemen any thoughts or insights which can be
> > shared?
>
> Yeah. Less time worrying about how to make OpenPGP continue for
> another twenty years, more time spent about how to make a next-
> generation cryptographic tool that will occupy the same space OpenPGP
> did but will do it better and with more modern techniques.

Thank you very much for your thoughts, which I agree.

Question however remains, who will do this? Cypherpunks, for example,
are dead, which had IMHO a great influence in the past.

[1] <https://www.nist.gov/news-events/news/2019/01/nist-reveals-26-algorithms-advancing-post-quantum-crypto-semifinals>

[2] <https://go.gale.com/ps/anonymous?id=GALE%7CA600067976&sid=googleScholar&v=2.1&it=r&linkaccess=abs&issn=00280836&p=AONE&sw=w>

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

>Yeah. Less time worrying about how to make OpenPGP continue for>another twenty years, more time spent about how to make a next->generation cryptographic tool that will occupy the same space OpenPGP>did but will do it better and with more modern techniques.
I totally agree with you on that. Though I have no idea how to do it, I think in the midterm we need something totally new with modern crypto-technology, easy to use and lean. Like WireGuard for VPN or the modern messengers.
Unfortunately OpenPGP and S/MIME have not managed to conquer a broad public and sometimes even not to keep up with modern standards in the last twenty years.
Sorry for criticising without suggesting a solution.Karel

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> My understanding is that sequoia pgp, due to the fact that it is written in Rust may
> probably see not it's light in major Linux distributions as an apt-get option

While it's true that Rust crates aren't straightforward to package in Debian,
sequoia-the-library in version 1.0.0 is indeed packaged in Debian bullseye as of
2020-12-16, so should make its way through the apt ecosystem through the year.

https://packages.debian.org/testing/source/rust-sequoia-openpgp

https://sequoia-pgp.org/blog/2020/12/16/202012-1.0/

- V


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Mon, Jan 4, 2021 at 3:27 PM Vincent Breitmoser via Gnupg-users
<gnupg-users@gnupg.org> wrote:
>
>
> > My understanding is that sequoia pgp, due to the fact that it is written in Rust may
> > probably see not it's light in major Linux distributions as an apt-get option
>
> While it's true that Rust crates aren't straightforward to package in Debian,
> sequoia-the-library in version 1.0.0 is indeed packaged in Debian bullseye as of
> 2020-12-16, so should make its way through the apt ecosystem through the year.
>
> https://packages.debian.org/testing/source/rust-sequoia-openpgp
>
> https://sequoia-pgp.org/blog/2020/12/16/202012-1.0/

Ah, cool. I was not (yet) aware of it. And seeing dkg listed as a
package maintainer is a bonus too, IMHO. :-)

Best regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2021-01-03 at 15:35 +0100, karel-v_g--- via Gnupg-users wrote:
> > Yeah. Less time worrying about how to make OpenPGP continue
> > for>another twenty years, more time spent about how to make a next-
> > >generation cryptographic tool that will occupy the same space
> > OpenPGP>did but will do it better and with more modern techniques.
> I totally agree with you on that. Though I have no idea how to do it,
> I think in the midterm we need something totally new with modern
> crypto-technology, easy to use and lean. Like WireGuard for VPN or
> the modern messengers.

Changing OpenPGP standard to use a Quantum-resistant algorithm would be
"easy".

With really big quote marks in bold typeface. But simple in theory.


First, you would need a new public key algorithm resistant to the new
attack e.g. Quantum-resistant.

I don't think a new simmetric cipher would be needed, current AES
options should stand even in Quantumcalypsis.

Then, you will need to assign an algo id for the new algorithm and set
the way the parameters will be stored in the key. You get all
implementations to add support for that new algorithm (well, at least
all implementations used by people you care about).

Finally, every user will need to discard their now-useless keys,
generate new ones and rebuild the chain of turst from the ground up.


Right now, we don't even have the candidate on what such algorithm will
be. Hopefully, it will appear long before that Quantumcalypsis.
Then, getting one or two implementations to support it may be simple,
but the OpenPGP ecosystem is a very fossilized environment. We still
haven't reached broad ECC support. There are some implementations which
still don't support it at all. And in other cases the program would
support it, but the user happens to use an ancient version that they
didn't update for many years.


As for the need of creating new keys and rebuilding the WoT, that's
sadly a consequence of the way openpgp keys are structured. There's no
clean way to progressively migrate into a new asymmetric algorithm.
For symmetric ciphers you do that with multiple subkeys, but not for
asymmetric keys. Well, you _could_ do that, but either the main key
uses the new algorithm (and thus old clients wouldn't be able to use
the key, so no reason for adding a classic subkey) or if the main key
used a classic algorithm, that would be the key being attacked, so
there is still no point for that.
At most, you could use two separate keys, one using "new" and other
"classic" crypto, and use them selectively (depending on who you
communicate with) or in parallel (i.e. always signing everything with
both keys).
It would be nice to have a way to attach a new, modern, key to a
backwards-compatible key, but that seems hard to construct (the
fingerprint would *not* cover the new key, or otherwise, you would need
to (ab)use an ignored portion of the public key block).


Regards

?ngel



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 1/4/21 9:31 PM, ?ngel wrote:
> Finally, every user will need to discard their now-useless keys,
> generate new ones and rebuild the chain of turst from the ground up.

Building a web of trust is so hopeless, from my point of view, that I
have abandonned gnupg. I have made keys for myself, obtained enigmail
for my Firefox browser, etc. But those with whom I correspond by e-mail
has diminished to almost the vanishing point. They use text messages on
their cell phones, Facebook messages, etc. While a few worry about the
"CIA" snooping on them, none will consider gnupg and enigmail. So for
me, it is pointless.

--
.~. Jean-David Beyer
/V\ Shrewsbury, New Jersey
/( )\ Red Hat Enterprise Linux
^^-^^ up 4 days, 13 hours, 37 minutes


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, Jan 05, 2021 at 07:27:14AM -0500, Jean-David Beyer via Gnupg-users wrote:
> Building a web of trust is so hopeless, from my point of view, that I have
> abandonned gnupg. I have made keys for myself, obtained enigmail for my
> Firefox browser, etc. But those with whom I correspond by e-mail has
> diminished to almost the vanishing point. They use text messages on their
> cell phones, Facebook messages, etc. While a few worry about the "CIA"
> snooping on them, none will consider gnupg and enigmail. So for me, it is
> pointless.
>
> --
> .~. Jean-David Beyer
> /V\ Shrewsbury, New Jersey
> /( )\ Red Hat Enterprise Linux
> ^^-^^ up 4 days, 13 hours, 37 minutes

I noticed your signature, so I must point out that RHEL and the Linux Kernel
development process rely heavily on GnuPG and the web of trust. Every time you
update packages on your system, large parts of the supply chain were verified
using GnuPG, relying on the integrity of the trust store shipped with RHEL.

So, you may not see it in your person-to-person communication, but you use
GnuPG every day.

-K

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 1/5/21 8:24 AM, Konstantin Ryabitsev wrote:
> On Tue, Jan 05, 2021 at 07:27:14AM -0500, Jean-David Beyer via Gnupg-users wrote:
>> Building a web of trust is so hopeless, from my point of view, that I have
>> abandonned gnupg. I have made keys for myself, obtained enigmail for my
>> Firefox browser, etc. But those with whom I correspond by e-mail has
>> diminished to almost the vanishing point. They use text messages on their
>> cell phones, Facebook messages, etc. While a few worry about the "CIA"
>> snooping on them, none will consider gnupg and enigmail. So for me, it is
>> pointless.
>>
>> --
>> .~. Jean-David Beyer
>> /V\ Shrewsbury, New Jersey
>> /( )\ Red Hat Enterprise Linux
>> ^^-^^ up 4 days, 13 hours, 37 minutes
> I noticed your signature, so I must point out that RHEL and the Linux Kernel
> development process rely heavily on GnuPG and the web of trust. Every time you
> update packages on your system, large parts of the supply chain were verified
> using GnuPG, relying on the integrity of the trust store shipped with RHEL.
>
> So, you may not see it in your person-to-person communication, but you use
> GnuPG every day.
>
> -K

I sit corrected:

$ rpm -qf /usr/bin/gpg
gnupg2-2.2.9-1.el8.x86_64

I posted, not so much to criticize GnuPG as to criticize my associates
who talk security paranoia, but refuse to do anything about it. When all
is said and done, more is said than done. At least, with my associates.

--
.~. Jean-David Beyer
/V\ Shrewsbury, New Jersey
/( )\ Red Hat Enterprise Linux
^^-^^ up 4 days, 15 hours, 2 minutes


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, 5 Jan 2021 07:27, Jean-David Beyer said:

> Building a web of trust is so hopeless, from my point of view, that I
> have abandonned gnupg. I have made keys for myself, obtained enigmail

Virtually nobody uses the WoT. What people use are direct key
signatures. That is you verify a key's owner and then sign that key.
Usually not even exportable. Verification is often done by trust on
first use. And that is okay for the majority of use cases.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On Tue, 2021-01-05 at 15:38 +0100, Werner Koch via Gnupg-users wrote:
> Virtually nobody uses the WoT...

Strangely, the Linux kernel folks still use it a decent amount.
They're the only large group I can think of offhand, though.

On Tue, 5 Jan 2021 09:46, Robert J. Hansen said:

> Strangely, the Linux kernel folks still use it a decent amount.

There are indeed use cases for the WoT; in particular if you don't known
your co-worker. However, in commerical or private settings the
communication patterns are different from the hacker community.


Salam-Shalom,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On Tue, Jan 5, 2021 at 3:44 PM Werner Koch via Gnupg-users
<gnupg-users@gnupg.org> wrote:
>
> On Tue, 5 Jan 2021 07:27, Jean-David Beyer said:
>
> > Building a web of trust is so hopeless, from my point of view, that I
> > have abandonned gnupg. I have made keys for myself, obtained enigmail
>
> Virtually nobody uses the WoT. What people use are direct key
> signatures. That is you verify a key's owner and then sign that key.
> Usually not even exportable. Verification is often done by trust on
> first use. And that is okay for the majority of use cases.

Not sure I understand you correctly, but why are then SKS key servers
still in operation, which allows third parties to look up who signed
who's key and with what trust level and GnuPG's WoT support, compared
to sq and Hagrid?

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, Jan 05, 2021 at 09:46:01AM -0500, Robert J. Hansen via Gnupg-users wrote:
> On Tue, 2021-01-05 at 15:38 +0100, Werner Koch via Gnupg-users wrote:
> > Virtually nobody uses the WoT...
>
> Strangely, the Linux kernel folks still use it a decent amount.
> They're the only large group I can think of offhand, though.

Debian is much larger, though they've been moving away from the web of trust
based on keysigning and towards a scheme based around signed digital
documents (same idea, but certificates aren't bundled with keys themselves).

The use of WoT is not really that strange. WoT works better than most
alternatives in setups with decentralized infrastructure. While kernel.org
does act as a "certification authority" of sorts, we merely check and enforce
the web of trust before issuing accounts. Every step of the process is
transparent and can be verified, per this document:

https://korg.docs.kernel.org/pgpkeys.html

-K

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, 5 Jan 2021 16:46, Stefan Claas said:

> Not sure I understand you correctly, but why are then SKS key servers
> still in operation, which allows third parties to look up who signed
> who's key and with what trust level and GnuPG's WoT support, compared

Because that is the base of the WoT and there a legitimate use cases for
this. You might also want to learn on how the WoT works to see why the
keyservers don't carry any information on what you call "trust level"
and what we call "ownertrust". Just in case you meant the signature
class (0x10..0x13 aka generic,persona,casual,positive) the default is
"generic" and you need to employ the --ask-cert-level option to change
the default on a key by key case.

Further, the plan is to replace the SKS software by hockeypuck on the
servers. Thus the existing defaults are still good defaults.


Salam-Shalom,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On Wed, Jan 6, 2021 at 3:00 PM Werner Koch <wk@gnupg.org> wrote:
>
> On Tue, 5 Jan 2021 16:46, Stefan Claas said:
>
> > Not sure I understand you correctly, but why are then SKS key servers
> > still in operation, which allows third parties to look up who signed
> > who's key and with what trust level and GnuPG's WoT support, compared
>
> Because that is the base of the WoT and there a legitimate use cases for
> this. You might also want to learn on how the WoT works to see why the
> keyservers don't carry any information on what you call "trust level"
> and what we call "ownertrust". Just in case you meant the signature
> class (0x10..0x13 aka generic,persona,casual,positive) the default is
> "generic" and you need to employ the --ask-cert-level option to change
> the default on a key by key case.

Thanks for the reply and clarifying.

> Further, the plan is to replace the SKS software by hockeypuck on the
> servers. Thus the existing defaults are still good defaults.

Ah, interesting. You know, what would be cool if a hockeypuck testnet would
be run first, starting from zero, so that everybody interested in this
new keyserver
network can participate, like submitting their keys etc. and later it
get's transfered
to a mainnet without old useless keys, to have a fresh and clean database.

I guess even the most hardcore SKS fan would agree that this should be not
to much work for users, submitting only once their actual key(s) and
revoked keys.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Why does GPG continue to be developed with email uses in mind even though it's now widely accepted that GPG is a terrible way to securely communicate with another person and that a number of much more secure, much more robust, much less complicated (from the end user perspective) solutions exist? I'm guessing it's the same reason.

-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

??????? Original Message ???????

On Tuesday, January 5th, 2021 at 9:46 AM, Stefan Claas via Gnupg-users <gnupg-users@gnupg.org> wrote:

> On Tue, Jan 5, 2021 at 3:44 PM Werner Koch via Gnupg-users
>

> gnupg-users@gnupg.org wrote:
>

> > On Tue, 5 Jan 2021 07:27, Jean-David Beyer said:
> >

> > > Building a web of trust is so hopeless, from my point of view, that I
> > >

> > > have abandonned gnupg. I have made keys for myself, obtained enigmail
> >

> > Virtually nobody uses the WoT. What people use are direct key
> >

> > signatures. That is you verify a key's owner and then sign that key.
> >

> > Usually not even exportable. Verification is often done by trust on
> >

> > first use. And that is okay for the majority of use cases.
>

> Not sure I understand you correctly, but why are then SKS key servers
>

> still in operation, which allows third parties to look up who signed
>

> who's key and with what trust level and GnuPG's WoT support, compared
>

> to sq and Hagrid?
>

> Regards
>

> Stefan
>

> Gnupg-users mailing list
>

> Gnupg-users@gnupg.org
>

> http://lists.gnupg.org/mailman/listinfo/gnupg-users

Ryan McGinnis via Gnupg-users writes:

> Why does GPG continue to be developed with email uses in mind even
> though it's now widely accepted that GPG is a terrible way to securely
> communicate with another person and that a number of much more secure, much
> more
> robust, much less complicated (from the end user perspective)
> solutions exist?

genuine question, what are other proposals for communicating in a way
that is as secure and decentralized but simpler to handle for an end
user (especially not technically inclined)?

(apologies for kind-of-stealing the thread topic)

thanks.

Regards,

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

It's hard to look towards the future if they invest in the past. I'm definitely on the younger side of this mailing list but GPG has definitely out lasted its usefuless. The majority of people using it don't even know they do and it's probably because of the use via Debian's packaging system.

E-mail is definitely the carrier pigeon of communication today and I agree that the need to decouple the association is needed but that's like trying to remove hydrogen from water. The identities are so tied to it (inb4 fingerprints - please) that it's beyond time (like since 2010 imo) for something else - anything else tbh.

On Wed, Jan 6, 2021, at 08:08, Ryan McGinnis via Gnupg-users wrote:
> Why does GPG continue to be developed with email uses in mind even
> though it's now widely accepted that GPG is a terrible way to securely
> communicate with another person and that a number of much more secure,
> much more robust, much less complicated (from the end user perspective)
> solutions exist? I'm guessing it's the same reason.
>
> -Ryan McGinnis
> http://www.bigstormpicture.com
> PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
>
> ??????? Original Message ???????
>
> On Tuesday, January 5th, 2021 at 9:46 AM, Stefan Claas via Gnupg-users
> <gnupg-users@gnupg.org> wrote:
>
> > On Tue, Jan 5, 2021 at 3:44 PM Werner Koch via Gnupg-users
> >
>
> > gnupg-users@gnupg.org wrote:
> >
>
> > > On Tue, 5 Jan 2021 07:27, Jean-David Beyer said:
> > >
>
> > > > Building a web of trust is so hopeless, from my point of view, that I
> > > >
>
> > > > have abandonned gnupg. I have made keys for myself, obtained enigmail
> > >
>
> > > Virtually nobody uses the WoT. What people use are direct key
> > >
>
> > > signatures. That is you verify a key's owner and then sign that key.
> > >
>
> > > Usually not even exportable. Verification is often done by trust on
> > >
>
> > > first use. And that is okay for the majority of use cases.
> >
>
> > Not sure I understand you correctly, but why are then SKS key servers
> >
>
> > still in operation, which allows third parties to look up who signed
> >
>
> > who's key and with what trust level and GnuPG's WoT support, compared
> >
>
> > to sq and Hagrid?
> >
>
> > Regards
> >
>
> > Stefan
> >
>
> > Gnupg-users mailing list
> >
>
> > Gnupg-users@gnupg.org
> >
>
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> Attachments:
> * signature.asc


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi everybody,

== who could continue development?

Beside other options already mentioned,

a) there is a charity https://gnupg.org/verein/
which currently is small with some of the already known people,
and only starts to do a few small things, but at a legal
entity it has some personal reserves that could be broadened.

b) g10code GmbH is also a legal entity and has some more employees than Werner
and Andre. If demand is high enough, one of those organisations can pick up.
(So you know: I am with GnuPG e.V. and my company Intevation
works together with g10code on Gpg4win. We offer paid support
for all available Free Software products in principle. So to me that is more
of a long term funding problem.)

Because GnuPG/Gpg4win is completely Free Software, many companies, or other
organisations can pick up its development.


== about its usefulness:

Personally I believe GnuPG, OpenPGP and email to important and on the course
to stay for many years. Main reasons are:
a) email use has not gone down. It is one of the remaining really decentral
systems.
b) And it has become and stays an identity anchor for the majority of internet
based services. For this function public keyservers (decentral, carrying
signatures) are important (to complement some use cases).

Regards,
Bernhard

--
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner