[redvenom]

PGP definitely has a problem with verifying identity behind keys, but I think that problem is overblown for a lot of purposes. Most of the emails people send out are to people they already know, and for those it is usually immediately obvious whether the person behind the key is the person you know in real life.

For other cases, it's often sufficient to follow the 'trust on first use' model, keeping in mind you need to build up trust by initial interactions whose contents are not highly sensitive. In both these cases, PGP works fine, and I suspect if people just didn't worry about web of trust and followed that simple guideline, the resulting state of sending encrypted emails would already be much better than it is now.

[tptacek]

The biggest problems cryptography engineers have with PGP don't have much of anything to do with "web of trust", but rather with the archaic cryptography PGP in practice uses. Efail, for instance, is a result of flaws that simply don't occur in modern designs, which never release unauthenticated plaintext --- in fact, by cryptographic design, can't do so.

The designs promoted by minisign and age work the way you talk about here, and have the benefit of using modern curve crypto, so keys are even shorter than SSH keys and even easier to move around, without all the ceremony PGP requires.

[madez]

Efail was a problem specific to e-mail, not pgp. BTW, if you attacked e-mail as the insecure by design, factually oligarchic communication system it is, I'd be totally in agreement.

GPG supports ed25519 ecc identities, which can be used in SSH, too. Which shorter keys are you referring to?

And to once again repeat the question begging an answer: which alternative do you propose to independently create and manage a cryptographic identity?

I think you owe an answer to that question given how you criticize the de facto standard for it.

[tptacek]

I don't know what "create and manage a cryptographic identity" means, and I do this stuff for a living. Can you put that in terms that actual people care about?

GPG supports ed25519. In some spec somewhere or other, and probably in a version of GnuPG as well, GPG supports everything. But in practice, GPG is RSA and CAST5 in CFB mode with PGP's archaic authenticator. And the impact of Efail was to email, the same way the impact of a memory corruption vulnerability might be to pop calc.exe (at first). But the flaw behind Efail was that GPG released unauthenticated plaintext to callers, which is something cryptosystems are meant never to do.