|
|
|
|
|
|
by anon-sre-srm
954 days ago
|
|
|
The technology of gpg isn't the problem, it's the CLI and non-CLI UX that's the problem. Mailvelope makes it sort-of easier, but it also fails at UX because it doesn't support clear signatures. Gmail and such should address this. Proton is an improvement but it doesn't allow using an external GPG key. keybase sort-of solved the scalability of effort problem / barrier that is web of trust, countersigning keys, and the bad UX of keyservers. There is no readily suitable admixture of keybase, Mailvelope, and Proton that doesn't suck while supporting maximum flexibility. |
|
|
The tech is old and out of sync with modern cryptographic principles. It supports a bunch of obsolete algorithms for backwards compatibility, some of which are badly broken. It has a complicated packet format that's hard to parse and itself has security issues. It encourages bad practices like keeping ancient keys around because they have signatures on them.
It's also highly hostile to using it in any way but how it was designed. For ages, there was no library to parse OpenPGP packets. You had to run gpg itself, maybe give it a fake home directory, feed it whatever you need, parse the output... it's an enormous amount of pain even for simple things, and it's all terribly slow.
And it badly damaged the ecosystem, because either you spend lots and lots of time on reimplementing lots of crypto (which tends to be a bad idea), or you try to trick GPG into doing what you need and end up with a system that's dreadfully slow and painful to use.
The problems you speak of are probably due to this. There wasn't an usable base to build services on until very recently, when GPG was already effectively dead.