|
|
|
|
|
|
by gpanders
2362 days ago
|
|
|
I found their “Out of scope” list very interesting. In particular, they list signing and “anything to do with emails” as non-goals. From my fairly limited understanding of cryptography, isn’t signing almost identical to encrypting (at least with RSA)? I don’t understand why this would not be supported in a self-styled PGP replacement. I also don’t understand the “anything to do with email” line. Sending my public key to a recipient on an out-of-band channel and then sending an encrypted email should be completely agnostic to the underlying encryption tools, no? I don’t mean to sound critical - I’m very intrigued by this project and would love to have a better replacement for gpg! |
|
|
Minisign is a good similarly-small tool for doing signatures + verification of signatures and nothing else. The cryptography is similar, but the use-cases are often different. The tools both follow the UNIX philosophy of trying to do one thing well. Blenders and belt sanders both operate with motors, but no one tries to combine them into one tool.
>I also don’t understand the “anything to do with email” line. Sending my public key to a recipient on an out-of-band channel and then sending an encrypted email should be completely agnostic to the underlying encryption tools, no?
Yes, you can do that.
Age doesn't want to involve web-of-trust, keyservers, key rotation, forward secrecy, post-compromise security, message repudiation, signing, email standards, and email client integration. All of these would be necessary for a good end-to-end encrypted messaging system. Try reading about the Signal protocol to see everything it does, and then try to figure out how to stuff it all into existing email systems. It's hard enough to get any of that stuff right even without the restriction of working inside email.