[0xDEAFBEAD]

>The whole situation regarding key servers, key rotation, and the web of trust is a complete dumpster fire.

Can you explain why?

People elsewhere in this thread are saying that PGP sucks because it tries to do too many things at once, but it seems to me that the one big advantage of a tool which does everything at once is that you only need to solve authenticity one time for everything you do.

For example, if I'm communicating with an open source dev, having their known-authentic PGP key allows me to simultaneously verify the authenticity of their software updates, verify the authenticity of the email they send me, and encrypt my emails to them. Is there anything outside of PGP that accomplishes this?

[nvy]

>Can you explain why?

Well, the key servers are useless because they are susceptible to that poisoning attack from a few years ago, and they happily send you fraudulent or revoked keys.

And the web of trust doesn't scale. The trust ratings mean different things to different people, the propagation of revocation certs and signatures is slow, and rotating keys is onerous.

>For example, if I'm communicating with an open source dev, having their known-authentic PGP key allows me to simultaneously verify the authenticity of their software updates, verify the authenticity of the email they send me, and encrypt my emails to them. Is there anything outside of PGP that accomplishes this?

How often do you check the fingerprints of that key? Do you verify out of band when the developer rotates their key? (Haha just kidding, PGP users essentially never rotate keys)

If you care enough to encrypt your emails, then what is the virtue of verifying less frequently that you're talking to the correct persons?

Why wouldn't you want separate keys for all those things?

Why would you want an adversary to be able to compromise a single key and have the ability to forge commits, emails, and whatever else?

[0xDEAFBEAD]

>How often do you check the fingerprints of that key? Do you verify out of band when the developer rotates their key?

I'm almost certain PGP best practice is to have a single master key, kept on an airgapped device, that's used to sign subkeys for various purposes like email, commit signing, etc. So I only have to verify out of band once, unless the airgapped device gets compromised or the master key encryption is broken.

[nvy]

What percentage of PGP users actually have an airgapped device and actually go through all that rigamarole?

More importantly, how do you know that your counterparty is one of that (extremely small) minority?

[0xDEAFBEAD]

PGP users are a minority to begin with. I wouldn't be surprised if a lot of them do this. I think I got that rec from a PGP beginner guide I found the other month.

Don't forget about PGP smart cards either. You could keep the master key you use to sign subkeys on a smart card. A smart card should be harder to hack than your phone.

Qubes has built-in "split GPG" support that allows you to e.g. sign something using your private key while keeping it in a different VM. See https://www.qubes-os.org/doc/split-gpg/

I know PGP isn't for everyone, I just like the idea of keeping high-security options available for those who want them.

>More importantly, how do you know that your counterparty is one of that (extremely small) minority?

You could ask them :-)

[nvy]

>I know PGP isn't for everyone, I just like the idea of keeping high-security options available for those who want them.

But PGP doesn't provide a high-security anything.

- In order to achieve some reasonable level of protection from MITM attacks you can't just get someone's key from a keyserver. You have to go hunting for it and you're never really sure if there's a revocation cert out there that you just missed.

- Some people publish PGP keys on their websites, and you could use that to contact them over encrypted email. You are still vulnerable to metadata analysis and unless you manually re-key on every message (which you don't), you don't enjoy forward secrecy. Additionally, all it takes is one oopsie moment for someone to Reply-All and forget to encrypt first and now the entire conversation went out unencrypted. This has happened to me.

- You claim there's some unspecified benefit to signing commits with the same key you encrypt your emails with, though I don't see why that's superior to signify/minisign

- Best practices demand that you keep an airgapped machine with a long lived master key on it. No mention is made of how to prevent BadUSB-type attacks from jumping the air gap. If you really want to be sure nobody mints their own key from your airgapped machine to impersonate you, you now need to monitor your machine. That raspi in a drawer is still vulnerable to Evil Maid attacks, and the worst part is you won't know someone's impersonating you until it's too late.

All this attack surface just for the purported convenience of having some kind of unified "crypto identity" wherein you only need to verify someone once?

These are not the characteristics of a high security system. This is why people think PGP is a for security LARPers. It's objectively just not a very good tool.

[0xDEAFBEAD]

>- In order to achieve some reasonable level of protection from MITM attacks you can't just get someone's key from a keyserver. You have to go hunting for it and you're never really sure if there's a revocation cert out there that you just missed.

This is a convenience consideration, not a security one.

>- Some people publish PGP keys on their websites, and you could use that to contact them over encrypted email. You are still vulnerable to metadata analysis and unless you manually re-key on every message (which you don't), you don't enjoy forward secrecy. Additionally, all it takes is one oopsie moment for someone to Reply-All and forget to encrypt first and now the entire conversation went out unencrypted. This has happened to me.

These are problems with encrypted email, not PGP. Encrypted email is not the only way to use PGP. See e.g. https://news.ycombinator.com/item?id=38575764

>No mention is made of how to prevent BadUSB-type attacks from jumping the air gap.

You could write newly minted keys to single-use CD-Rs.

>If you really want to be sure nobody mints their own key from your airgapped machine to impersonate you, you now need to monitor your machine. That raspi in a drawer is still vulnerable to Evil Maid attacks, and the worst part is you won't know someone's impersonating you until it's too late.

If physical access is part of your threat model, you'll want to monitor access to your stuff anyways.