From: Anonymous <anon@anon.efga.org>
Date: Sun, 2 Nov 1997 02:39:31 +0800
To: cypherpunks@cyberpass.net
Subject: Re: [SURVEY] pgp5.x / pgp2.x users
Message-ID: <d7398092218ec328be03256d0d8c83a9@anon.efga.org>
MIME-Version: 1.0
Content-Type: text/plain



Adam Back <aba@dcs.ex.ac.uk> wrote:

>Fill out and email me, and I'll tabulate results, and post here and on
>ietf-open-pgp:

>==============================8<==============================
>mini straw poll on pgp2.x and 5.x usage:
>
>1. What are you currently using for everyday use: 2.x or 5.x

>[ 2 or 5 ]

2.x. 5.x is purposefully incompatable and crippled.

>2. What proportion of people you use PGP to communicate with are using 5.x

>[ x / y ]

None. If they're using 5.x I by definition can't communicate with them.

>3. How many of the 5.x users you communicate with are cypherpunks

>[ z ]

See above.

>==============================8<==============================

>The question has come up on ietf-open-pgp as to how important it is
>for the OpenPGP standard to support backwards compatibility with
>pgp2.x.

Very. 5.x right now is nothing but annoying. I can understand wanting to use
the new algorithms. However if the authors want to do that and literally
force people into upgrading then they need to make sure that every
platform which had a version of 2.x has a version of 5.x available, and they
need to stop breaking *every* script and program which calls PGP. If they 
release a version of PGP for one platform before they do others and the new
version is incompatable with the old for all intents and purposes, they're
just feeding OS wars, frustration, and hostility.

>The IETF generally likes to steer clear of patented algorithms as
>MUSTs in standards.  This encourages implementations, etc.
>(Personally I'm pretty keen on this point, though I would like more
>backwards compatible pgp5.x implementations -- I've already received
>emails I can't read without resorting to the pgp5 command line app,
>which doesn't work with my mailer integrated system.)

That's exactly my situation. I figure, however, that if somebody is going to
send out broken email I won't bother kludging around to read it no more than
I will go start X11 and fire off a 20 MB browser (Communicator) because some
moron doesn't know how to use HTML as it was originally designed. I'm 
personally appalled at the number of Cypherpunks using a version of PGP
which is completely incompatable with previous versions and outrageously
annoying to use unless you run Windows since it breaks everything which is
integrated.

>So the question arises, just how many pgp2.x users are there.  PGP Inc
>are pointing to the ratio of RSA keys to DSA/EG keys on keyservers as
>showing that pgp2.x users are in the minority.  However that ratio is
>something like 20,000 to 75,000, and I'm sure we've heard statistics
>in the past about there being literally millions of pgp 2.x users.
>One suspects that either many pgp 2.x users aren't using keyservers (I
>know several cypherpunks who have something against key servers and
>avoid them for perceived security or privacy reasons), and/or the
>pgp2.x user base is exaggerated.

You can't compare the user bases this way. 

First, 5.x integrates easily into several Windows mailers. This encourages
people to go get it and install it over 2.x. 

Second, 5.x integrates keyserver functions. 2.x does not. It's really no
work for 5.x users to submit a key to a keyserver, where it takes some
effort with 2.x. 

Third, most people probably have Windows installed already. They heard 5.x
was out, and didn't realize that it was so...well, broken. I know I fetched
5.x when it came out and installed it. I almost sent my key to the servers, 
then stopped to think about how the generated key doesn't work with 2.x. 

Fourth, if you're using Windows and communicating with other Windows users
there is really no reason not to use 5.x. People communicating with
classmates at universities and such are likely to go install 5.x because it's 
easy to use, send their key to the keyservers because they can, and inflate the
numbers.

Fifth, there are far more Windows users than users of other OSes. Windows
users have no reason not to upgrade, while other users have every reason
to stick with previous version.

I think the major problem with 5.x right now as it stands is the complete
lack of support from http://beta.pgp.com, the forced command-line
incompatabilities, and the lack of a stable multiplatform version. Add to
that the CMR debacle. 

Now in defense of PGP 5.x I do like the keyserver integration, expiry dates
on keys, and some of the other features. I like how it integrates with the
mailers. 

This entire thing makes me think of a web site which checks your browser and
OS. If you aren't running what the author likes, it tells you that you suck,
you're a moron, you're behind the times, you're using an inferior operating
system, and then doesn't show you the data. This is analogous to what PGP 
Inc. has done. This compatability thing could have very easily been avoided.

Face it, PGP Inc. screwed up. I think it's ultimately going to be the job of
Cypherpunks outside of the Land of the Freeh to clean up their mess.

Has anyone considered hacking up 2.6.xi to handle the new format? It would
have to be saner than 5.x is at this point. I would try, but I'm in the Land 
of the Freeh where you put your backside on the line to write any crypto 
software at all.

Ah, I love America.

CompatabilityMonger