…But thanks to all this drama, we have so many good texts:
young age of the algorithm.
From Soatok’s writing it doesn’t look this young
…But thanks to all this drama, we have so many good texts:
young age of the algorithm.
From Soatok’s writing it doesn’t look this young
Now that I am over the 2-post restriction, I will post the links to all of the aforementioned articles and documentation, to allow people to bypass any block which my server defences may be causing.
Articles:
Documentation:
Specifications:
Thanks, sad to hear there’s been drama. I’ll probably have to dig into their backlog to see what arguments were made. I don’t know enough of this yet to have a strong opinion.
The same thing can be done with OpenSSH signatures, in a far-more-secure and saner way. You can attach an OpenSSH signature as a file or ASCII-armored text. PGP is, to put it simply, deranged and was never designed at the time for the issues and attacks we face, today. Cryptography was barely understood or required when PGP was designed.
I have been using OpenSSH signatures for signing everything from emails (non-natively), to files, to Git commits. It works fine.
The worrying, and endlessly-annoying, thing is how people still use and rely on PGP when it doesn’t have to be that way. I see anything using PGP as plaintext, unsigned, and unencrypted. Yes, it’s that bad once you read the details of the design and implementations. Switching what generates PGP doesn’t change what PGP, itself, is.
Wrapping something such as X25519 in an ML-KEM wrapper does not make it less secure even if it’s broken. As OpenBSD agrees[0], loss of the quantum-resistant wrapper means it’s the status quo of the wrapped algorithm without post-quantum resistance.
There is nothing to lose, and everything to gain.
You should go & work for NASA,they need you.
Ups, their website works via Tor. They’re rookies!
You should go & work for NASA,they need you.
Yes, it is quite horrifying indeed that they use PGP. Just like all of the Linux distributions which don’t seem to care, either; but, that’s the world we live in. Reading the references I linked to shows you just as much; more people using it hardly means something is better, and that is exactly my point-of-frustration.
Ups, their website works via Tor. They’re rookies!
NASA is also a huge organisation, in comparison to me being a single person working on many systems at home. You’re free to mention the issues with that approach, but, at least, take the scaling into mind when you do.
You can also build my website from source (pure XHTML and CSS, if you don’t mind losing the video JS to add streaming-features to the videos). That is the reason I have it mirrored across my own server and Codeberg (previously, GitHub, too, which I removed due to Copilot nonsense harrassing me).
Another reference to add to the list: GrapheneOS dropped PGP-signing in favour of SSH-signing[0].
PGP is old, but it is also convenient: one can sign, encrypt, certificate and authenticate with just a keypair. I guess this is one of the reasons why it is still heavily used, the other being software compatibility.
As stated by Latacora, this jack-of-all-trades, master-of-none approach is exactly why it is bad and should never be used unless there is an unavoidable hard dependency on it; which almost no one has, but most people continue to use, anyway:
One of the rhetorical challenges of persuading people to stop using PGP is that there’s no one thing you can replace it with, nor should there be. What you should use instead depends on what you’re doing.
The software already exists; people just don’t bother using it, and are hostile to it whenever moving away from PGP is mentioned.
OpenSSH has supported signatures since 2019[0], and age has existed since 2020[1]. There aren’t any more excuses. At this rate, people will still be saying they need this “backwards compatibility” in 2050…
The latest OpenPGP specification (RFC 9580) even states the following:
Many security protocol designers think that it is a bad idea to use a single key for both privacy (encryption) and integrity (signatures). In fact, this was one of the motivating forces behind the version 4 key format with separate signature and encryption keys. Using a single key for encrypting and signing is discouraged.
At that point, just use different tools, designed specifically for their intended purpose, for each, which is what OpenSSH and age do…
PGP has clearly lost its direction and knows it has no reason to exist now that all of these issues have been exposed over time. It is equivalent to making new versions of DOS (PGP predates Windows 95 by 4 years…) and claiming they “fixed” issues. The correct approach is to use an OS which was designed with known issues in mind, just as the correct approach for signing and encryption is to use tools with the known issues in mind.
We may even be revisiting this conversation in 30 years to discuss how OpenSSH and age have outlived their purpose with old knowledge and design from the 2020s. The difference is, users of those are likely to accept it and move on to whatever is sane at that time, not defend them without justification.
I think this depends on the threat modeling.
I trust cryptographers when they say PGP does a mediocre job and important, very sensitive information should be protected or signed using dedicated tools, and that the Linux ecosystem should move as well. Bad implementations like GnuPG don’t help either.
But it’s also true that perfect is the enemy of good, and PGP aspires to offer, as the name says, pretty good privacy, not perfect (or almost perfect). Not only that, but the OpenPGP ecosystem, even if it’s a mess, it’s also mature. I don’t think projects like Sequoia would exist if OpenPGP was deemed beyond salvation.
There’s also another factor: the social one. I have experienced recently the art of trading public keys face-to-face and certify that the received key belongs to the person I’ve met. Tools like OpenKeychain makes this very easy, and it’s very satisfying. The web of trust has a lot of problems, but I personally consider this a nice complement to the hierarchical CA roots of trust. Especially in societies like ours where emails are still associated with our identities and used to send and receive potentially sensitive information, and open protocols like WebDAV were not designed with E2EE in mind.
Swiss knives and smartphones are far from perfect and don’t replace dedicated tools, but it’s always nice to have one of these. And they still can become pretty good.
Those projects exist because people continue to use them and trust them, despite the flaws being very apparent. It’s the same reason we are stuck with insecure cellular calls and SMS; people don’t bother switching to something saner.
Be the change you want to see. Consult my words, above. If people want to sign things to me, they can use OpenSSH. If people want to encrypt things to me, they can use age. I am willing to look at solid alternatives, but it won’t be the PGP cult (which is what I see it as, now, as part of the “social” aspect). In fact, Latacora touches on the social aspect of it and why that is the identity of PGP, rather than the security aspect.
The “web-of-trust” is one of the worst aspects of PGP. It’s the exact reason people refuse to just toss old/compromised keys and generate new ones. I know people who have stuck with compromised PGP keys because of the tediousness of bootstrapping new ones. It’s not good, in any regard, to behave that way. With OpenSSH keys and age keys, you pin them to a trusted root, yourself (website, GitHub, bundled with software, etc); the more places you put them, the better[0].
At this point, it seems like a case of people who want technical superiority, versus people who want to stick with the status quo due to installed-base, making me see further discussion on this matter pointless. What I really want to come out of this discussion is for Privacy Guides to add OpenSSH as a signing method and age as an encryption method, preferably pointing people to use those rather than PGP.
Since I doubt PGP is going to be removed, and, very unfortunately, people are going to continue to use it, the recommended implementation should at least be switched to Sequoia-PGP. I don’t believe that anyone has a reason to defend GPG. Just take a look at the security vulnerabilities GPG has had, along with how the developers of it have played them down as nothing. The codebase is quite terrifying, too, to say the least.