Frank Tobin writes: > My proposal is realistic in the face that RFC 2440 is the standard > to follow. One problem that people face today is that they still > only think there are 3 real classes of PGP implementations out > there; PGP 2.x, PGP 5.x and above, and GnuPG. However, as more and > more implementations arise, the need for RFC 1990 users to abandon > their implementations will become more obvious. Have you read rfc2440? It explicitly allows backwards compatibility with PGP 2.x; sure the protocol suffered some complexity because of this, but that is done now. Your argument about abandoning pgp2.x users for technical reasons is wrong; the only reasons are patent issues. > To think that maintaining compatiblity is as simple as plugging in > RSA and IDEA is ridiculous. I know what is involved in maintaining backwards compatibility, I participated in the IETF openPGP group that spent a long time arguing about the limits of this. There are capability strings, and publickey versions all of which *allows* backwards compatibility. PGP5.x and 6.x and gnuPG implement this very backwards compatibility strategy IF you go out of your way to buy or download the extra components with the patented stuff in them. It is pointless theorising about it not being possbile, three independent implementations have already done it. The comment is that now the RSA patent has expired, and the IDEA patent is much less onerous, lets see these modules shipped as the default. I don't care about the GNU definition of the word "free", I want to reduce the fragmentation of the PGP user base, and as a result see a faster migration away from patented algorihtms. Adam