[tptacek]

This is silly. Nothing that happens with the standard or its implementation is going to prevent you from decrypting a 20 year old email. It shouldn't need saying, but one reason for that is that PGP's cryptography is schoolbook cryptography.

[b112]

This is silly

Upstream spoke of deprecated support for older emails. My response is aimed there.

And there is loads of software that will not compile on modern hardware. End users don't often have that ability to re-write, or even to easily validate a random bit of code on github.

A project like this, needs to maintain backwards operability. For decades.

[tptacek]

Once again: this is silly, because whatever conversation we are having about the standard, your ability to decrypt old messages would not have been impacted. Standard revisions don't turn the previous standard into secret forbidden knowledge.

What's really being asked for here is the capability to seamlessly continue sending messages with the previous, weak constructions, into the indefinite future, and have the installed base of the system continue seamlessly reading them. I think that is in fact a goal of PGP, and one of its great weaknesses.

[kazinator]

When standards remove the requirements for something after a period of obsolescence, that tends to send a message to the implementors to remove that from the software.

Users who still rely on that have to use the old software, against which there can be barriers:

- old executables don't run on newer OS (particularly in the Unix world).

- old source code won't build.

- old code won't retrieve the old data from the newer server it has been migrated do.

Things like that.

The barriers could be significant that even someone skilled and motivated such as myself would be discouraged.

[Avamander]

> Users who still rely on that have to use the old software, against which there can be barriers

Not all reliance is reasonable though.

Some legacy software can only do SSLv3 or lower, does that mean the rest of the internet has to carry that support around? Abso-f-lutely not.

The same applies here. If you really need that ancient stuff that loses support, repackage them in newer encryption or remove the obsolete layer. It's highly probable that information no longer needs to stay encrypted at rest anyways.

[kazinator]

In my opinion, the Internet should not be removing support for older SSL. The highest SSL version that is common to server and client should always be used.

[woodruffw]

> The highest SSL version that is common to server and client should always be used.

That is how it works. What you're missing is that everyone, both servers and clients, agrees that supporting old SSL versions is a bad idea. And they're right.