[upofadown]

You can just send your PGP key to your correspondents attached to an email. There is even a mime type for it. There is no need for any public broadcasting.

The big problem is verifying identities. The usability of that is an unsolved problem that plagues encrypted messaging of all kinds. So sure, signing PGP keys as a form of introduction is awkward, but at least it is possible. How do you vouch for, say, a Signal user?

[josephg]

If I attach a pgp signature in an email, it’s trivial for a MITM attack to replace my signature with their own. Without any way to verify who owns the key that was used to sign your message, what good is it? I suppose I could publish my key on my website too, but that’s a usability nightmare for everyone involved. A mitm attack could also just strip off the signature and alter the message I would be none the wiser.

Signal uses a much more complex key ratcheting system. It’s TOFU, but the key rotates with each message I send. The first message is vulnerable to a MITM attack, but because of the way signal works, if I can ever send a single message to you which isn’t MITM-ed, every message sent thereafter will be secure. The earlier keys are also published to make messages deniable. (Aka OTR).

Even then, if you want to verify who you’re talking to, you can click on someone’s name in signal and click “View safety number” and verify the code through a separate channel. Like, in person or over a text message or something.

Because your code is different for every conversation, it protects against correlation attacks. That is to say, a 3rd party watching the traffic can’t tell that all of the messages you send to different recipients came from the same person. Email+PGP doesn’t encrypt the most important information - which is the identity of the sender and receiver.

Signal is way better than pgp-over-email in every regard. The UI is better. There’s no encouragement to publish your keys or your social network. And the security ratchet is better than the static key that pgp uses. I’d pick it every time.

[upofadown]

We are talking about public keys here, not signatures.

>It’s TOFU, but the key rotates with each message I send.

You seem to be confusing the Signal long term identities with forward secrecy.

>...if I can ever send a single message to you which isn’t MITM-ed, every message sent thereafter will be secure.

This isn't true. Signal verifies identities the exact same way PGP verifies identities. As with PGP if you haven't checked your "safety numbers" you can't be sure your messages are actually ending up with your correspondent.

>Because your code is different for every conversation, it protects against correlation attacks.

PGP normally uses a different session key for each and every message ... but that isn't really relevant for either the Signal or PGP case if we are talking about correlation. For efficiency and convenience each message is normally tagged with the encryption key fingerprint of the recipient but you can turn that off if that might be a problem in your particular application. At that point there is nothing an observer can use to determine anything about the sender or receiver.

You probably meant to reference Signal's "sealed sender". It doesn't really work in practice:

>https://www.ndss-symposium.org/ndss-paper/improving-signals-...