> Even if you don't know them, (and pardon my arrogance,) OpenPGP.js and GopenPGP probably have many more end users than GnuPG, due to them being used by Proton Mail (among other products).

Right, but I assume the point of Proton Mail using OpenPGP is so that mail sent by Proton Mail can actually be verified/decrypted by other systems that aren't Proton Mail? So compatibility with the widely known GnuPG is a goal. Otherwise the question remains, why PGP?

> That's not how the IETF process works

Sure, but it is how the real world works.

> That being said, OpenPGP.js and GopenPGP do actually implement the old version of the draft

So are you doing both? If you implement the crypto refresh and GnuPG doesn't then you lose compatibility, right? If you don't lose compatibility and are somehow doing both, then what's the point?

> So are you doing both? If you implement the crypto refresh and GnuPG doesn't then you lose compatibility, right? If you don't lose compatibility and are somehow doing both, then what's the point?

OpenPGP keys can signal support for various features and algorithms - such as AEAD modes. As one example, the crypto refresh specifies GCM (as optional to implement).

This means that, when sending email between Proton users and OpenPGP implementations that support that, we can use GCM - which has certain security and performance benefits.

If we send email between Proton users and GnuPG, we won't use GCM, so we won't lose compatibility, but users also won't benefit from those (and other) security and performance improvements.

Thank you for clarifying. I'd still be concerned about not being able to use the same key for proton mail and my desktop application, but that is more reasonable to deal with.

If you use the same key for proton mail and your desktop, anyone who is privacy conscious will ban that key as "leaked".

There was recently such a discussion on debian, that keys used by protonmail and similar are not allowed to be used for uploads.

This is something I would want a subkey system to handle. Like it would be neat if you could have a masterkey that signs two separate keys and says "this is for proton" and "this separate key is for debian", in such a way that it's clear that they both belong to me.

> I'd still be concerned about not being able to use the same key for proton mail and my desktop application

Would it be possible to use different subkeys for each (a good idea in any case, since it would allow revoking them separately in case one of them is leaked)? I don't recall whether the packet with the features and algorithms support information is attached to the key or to the subkey.

It's possible to do both, however, the crypto refresh recommends setting the preferences on the entire key, and anything else isn't widely supported, I believe. Theoretically, you could have two versions of the key with different preferences (and different subkeys), but at that point you're probably better off having two entirely separate keys.

> I assume the point of Proton Mail using OpenPGP is so that mail sent by Proton Mail can actually be verified/decrypted by other systems that aren't Proton Mail?

My experience with Proton is that they really don't care anything about encryption or signatures except as they apply to emails between Proton users: http://jfloren.net/b/2023/7/7/0

We do care about interoperability, indeed that's the point of using OpenPGP.

I've addressed the points in the blog post in https://news.ycombinator.com/item?id=36643124.

Proton mail has fewer users than "apt-get" though. So your accounting is probably off by a few million users the other way.

Not sure: https://proton.me/blog/proton-100-million-accounts

But yeah, I was more thinking of email than code signing, since it's hard to get statistics on the latter I should've qualified :)