[mc42]

My biggest point of contention with this is... what should replace it? PGP is the current and retroactive psuedo-standard for verification for everything from email to code to builds.

Any replacement would have to be at least semi-compatible, so as not to break the (likely) hundreds of solutions relying on and expecting PGP.

[tptacek]

This is in fact the problem with trying to write eulogies for PGP. PGP is still a useful tool, just not for the application it was originally intended to: it's a very idea to try to retain secrecy among even small groups of people using PGP-encrypted email.

[jwilk]

Very idea?

[thaumasiotes]

Context suggests a typo for "very bad idea".

Although I kind of like the image of tptacek thinking about using PGP for email and scoffing "Hmpf! The very idea!"

[nickik]

What Keybase does with their new Key model and the way they send encrypt messages is pretty nice. The way they do the public directory is pretty nice, but improvement can still be made.

https://saltpack.org/

[verandaguy]

I used to be skeptical about this... but if the Signal protocol sees more widespread adoption outside of the Signal app and Whatsapp, it could be a good fit.

I'm very open to hearing about reasons why this wouldn't be the case, though.

[lmm]

There are times when you want non-repudiable signatures, times when you want to be able to keep an archive, times when you want your messages to behave more like letters than like spoken conversations. PGP is still the best fit for email-like use cases and long-lived identities; Signal et al don't even try to address that use case.

[CaptSpify]

AFAIU, the Signal protocol doesn't work with email, only with sms. Am I mistaken in this?

[mstef]

the protocol is very generic and does not require anything related to phones. it is actually 3 parts, a key exchange, a signature mode and a ratchet. how you combine these is up to you. the app is one way to combine them with phones. there's other ways to use the protocol, that could also be applied to emails

[wtbob]

There's no reason why the Signal app couldn't allow you to register mailto:joe@example.invalid as well as tel:+18005551212; it just, currently, doesn't.

And of course the protocol in general is much higher-level than that.