Hacker News new | ask | show | jobs
by tptacek 2106 days ago
It's telling that the most common example of a widespread use of PGP (modern messaging applications exchange more messages in a day than OpenPGP has ever exchanged) is software update schemes, because software update cryptography is both a solved problem (just use signify) and doesn't have network effects; it's a "trust anchor" application.

At least with PGP email, you can make the argument that PGP sticks around because people don't want to recreate contact lists. But even that argument doesn't apply to update.
2 comments
somedude11 2106 days ago
Backup, archivization, password managers, the list is long. Duplicity has many users: http://duplicity.nongnu.org Pass is also pretty popular on HN: https://www.passwordstore.org Both use GPG.
link
stormbrew 2106 days ago
I use pass and I would switch in a heartbeat to a fork of it that used ssh keys or something similar instead of gpg. For something so amazingly simple and useful, its dependence on the klunky mess that is gpg key management is an anchor that weighs it down.
link
somedude11 2106 days ago
Key management is a burden in every cryptosystem. I'm using KeePass and can recommend it, it works well.
link
wglb 2105 days ago
Would you know if it failed?
link
somedude11 2104 days ago
If it would "fail" and there would be no consequences so I could't tell if it failed or not - would it make a difference?
link
wglb 2103 days ago
If the failure were discovered by you a year later, realizing that all you thought was protected was in an adversary's hands.

I'm suggesting that "seems fine so far" is not effective at evaluating solidity of cryptographical usage.

link
trishankdatadog 2106 days ago
> software update cryptography is both a solved problem (just use signify)

Well, just use TUF [1] and in-toto [2] ;)

[1] https://theupdateframework.io/

[2] https://in-toto.io/

link
theamk 2105 days ago
Note that TUF is great for things with multiple contributiors (think npm or pypa).

For the simple case of "a single publisher publishes update for a single product", TUF is an overkill. Something like signify or seccure will be way easier to set up and use.

link
trishankdatadog 2102 days ago
signify is nice when key distribution, revocation, and rotation is handled for you... but how do you do that securely for many different publishers on a single repo?
link