[0xDEAFBEAD]

>How often do you check the fingerprints of that key? Do you verify out of band when the developer rotates their key?

I'm almost certain PGP best practice is to have a single master key, kept on an airgapped device, that's used to sign subkeys for various purposes like email, commit signing, etc. So I only have to verify out of band once, unless the airgapped device gets compromised or the master key encryption is broken.

[nvy]

What percentage of PGP users actually have an airgapped device and actually go through all that rigamarole?

More importantly, how do you know that your counterparty is one of that (extremely small) minority?

[0xDEAFBEAD]

PGP users are a minority to begin with. I wouldn't be surprised if a lot of them do this. I think I got that rec from a PGP beginner guide I found the other month.

Don't forget about PGP smart cards either. You could keep the master key you use to sign subkeys on a smart card. A smart card should be harder to hack than your phone.

Qubes has built-in "split GPG" support that allows you to e.g. sign something using your private key while keeping it in a different VM. See https://www.qubes-os.org/doc/split-gpg/

I know PGP isn't for everyone, I just like the idea of keeping high-security options available for those who want them.

>More importantly, how do you know that your counterparty is one of that (extremely small) minority?

You could ask them :-)

[nvy]

>I know PGP isn't for everyone, I just like the idea of keeping high-security options available for those who want them.

But PGP doesn't provide a high-security anything.

- In order to achieve some reasonable level of protection from MITM attacks you can't just get someone's key from a keyserver. You have to go hunting for it and you're never really sure if there's a revocation cert out there that you just missed.

- Some people publish PGP keys on their websites, and you could use that to contact them over encrypted email. You are still vulnerable to metadata analysis and unless you manually re-key on every message (which you don't), you don't enjoy forward secrecy. Additionally, all it takes is one oopsie moment for someone to Reply-All and forget to encrypt first and now the entire conversation went out unencrypted. This has happened to me.

- You claim there's some unspecified benefit to signing commits with the same key you encrypt your emails with, though I don't see why that's superior to signify/minisign

- Best practices demand that you keep an airgapped machine with a long lived master key on it. No mention is made of how to prevent BadUSB-type attacks from jumping the air gap. If you really want to be sure nobody mints their own key from your airgapped machine to impersonate you, you now need to monitor your machine. That raspi in a drawer is still vulnerable to Evil Maid attacks, and the worst part is you won't know someone's impersonating you until it's too late.

All this attack surface just for the purported convenience of having some kind of unified "crypto identity" wherein you only need to verify someone once?

These are not the characteristics of a high security system. This is why people think PGP is a for security LARPers. It's objectively just not a very good tool.

[0xDEAFBEAD]

>- In order to achieve some reasonable level of protection from MITM attacks you can't just get someone's key from a keyserver. You have to go hunting for it and you're never really sure if there's a revocation cert out there that you just missed.

This is a convenience consideration, not a security one.

>- Some people publish PGP keys on their websites, and you could use that to contact them over encrypted email. You are still vulnerable to metadata analysis and unless you manually re-key on every message (which you don't), you don't enjoy forward secrecy. Additionally, all it takes is one oopsie moment for someone to Reply-All and forget to encrypt first and now the entire conversation went out unencrypted. This has happened to me.

These are problems with encrypted email, not PGP. Encrypted email is not the only way to use PGP. See e.g. https://news.ycombinator.com/item?id=38575764

>No mention is made of how to prevent BadUSB-type attacks from jumping the air gap.

You could write newly minted keys to single-use CD-Rs.

>If you really want to be sure nobody mints their own key from your airgapped machine to impersonate you, you now need to monitor your machine. That raspi in a drawer is still vulnerable to Evil Maid attacks, and the worst part is you won't know someone's impersonating you until it's too late.

If physical access is part of your threat model, you'll want to monitor access to your stuff anyways.