[lrvick]

Everyone is trying so hard to re-invent PGP, while parroting that PGP is dead because some security influencers said so.

Well, there is a LOT of ongoing PGP modernization work on both specifications and implementations in recent years and my team and I at Distrust will be publishing a writeup on it any day now, as well as organizing yet another key generation and signing party in San Francisco next month.

PGP is not going away any time soon, and it is more relevant than ever.

For now check out this post about how we use it to build trust in the Linux ecosystem today: https://kron.fi/en/posts/stagex-web-of-trust/

[tptacek]

No part of what's being proposed here has anything to do with PGP. They aren't proposing a "web of trust" with "key servers". They're proposing an immutable binding between names and key identities.

PGP's "self-sovereignty" comes from mutually agreeing with groups of people who already know each other to exchange files establishing identities. That is to trusted identity what the one time pad is to cryptography: a punt on the entire problem space.

[lrvick]

> PGP's "self-sovereignty" comes from mutually agreeing with groups of people who already know each other to exchange files establishing identities.

Or between total strangers that met in person at a key signing party and agreed "you look like a human and not a bot to me".

We need human identity to be certified by humans using very long lived standard PKI primitives. Anything else, bots can easily monopolize to the point of being useless.

Rather than debate this here though yet again, I am working on a blog post which includes a lot of quotes, including one from you, to make a case for why PGP is still the best and most widely used and useful proof-of-human and self-sovereign PKI solution that exists, and why we should double down on it.

That comment thread is sure to be interesting.

[tptacek]

That's fine! It's perfectly reasonable to say "this isn't a problem worth solving". But you can't then say something else actually solves the problem by punting on it. Be clearer about what you're saying, instead of invoking the specter of "security influencers".

[lrvick]

I am not saying it is not a problem worth solving. I am actually saying PGP actually solves the problem of which key actually belongs to which person.

There are dozens of keys claiming to be Torvalds that lack credible endorsements from high reputation identities, so those are easily ignored. The one that has been signing the Linux kernel for years and signed by many people putting their reputations on the line is the one we care about.

It is intuitive and does not need a math degree to understand.

[tptacek]

Like I said: this is to cryptographic identity what the one-time pad is to message encryption. Simple and unuseful.

[lrvick]

It is unuseful to people with threat models that allow for entrusting their social graph to centralized identity systems managed by centrally controlled software supply chains that any compromised insider could manipulate.

For me and thousands of other Linux distro maintainers that maintain the core software supply chains and infrastructure that runs the internet, we cannot afford centralized trust graphs. Nothing else comes close to solving the problems PGP solves.

That is why it is an active IETF standard with modern cryptography and several actively maintained and widely used implementations.

[akerl_]

Why do I trust the people who are putting their reputations on the line? If they either screwed up or are malicious, I guess I'm just out of luck?

[lrvick]

If you can manipulate dozens of Linux maintainers to sign a key maliciously, we have bigger problems. Like a complete failure of the internet.

Decentralized human trust, or centralized corporate trust. Pick one.

[akerl_]

If the measure here is "I met this person at an event and they were a human", and the protocol becomes actually important for proving personhood, what is the measure that stops somebody from turning up to a bunch of events and getting "human" keys signed to then repurpose for bots?

[lrvick]

Because this is too expensive to scale, and people talk in small circles about who has signed who. Good luck inventing thousands of fake identities with a long trust history and reputation with this approach.

Botmasters like situations where they can hide offline and buy bots blue checkmarks with stolen credit cards.

[akerl_]

This is a fun kind of paradox. Right now it wouldn't scale well because signing parties are a niche nerd activity and having your identities signed by other GPG users doesn't really help with anything you'd want to do with a bot.

But if you were to actually succeed in making key signing parties a more common thing that people used to test for human-ness, and that test was tied to meaningful things online, it would both become easier to fake and more valuable to fake.

[lrvick]

When you sign a key you pick a trust level. If no one reputable has ever trusted a persons key with a higher level than "human", then that key should be subject to significantly higher scrutiny.

If you look at my key, you will find it is heavily connected to the keys that sign most linux distributions, bitcoin, and commits to the Linux kernel today.

If those 5444 linked identities that long pre-date AI are colluded to create a fake me and fake people that signed people who signed me over the last 25 years, and got those fake fingerprints in the keychains of every distro and got matching fingerprints on thousands of privately owned sites, we indeed have serious problems.

[growse]

> Everyone is trying so hard to re-invent PGP

Which bit of PGP?

[lrvick]

Self-sovereign PKI identity, key discovery, file encryption, artifact, code, review signing, security disclosures, boot signing etc etc.

[noman-land]

Don't forget authentication! Been using pgp keys on smart cards as ssh keys for ages.

[growse]

Who's reinventing a tool that can do all that?

[Grosvenor]

No one. The influencers are simply telling you you're wrong if you think you need that.

Which is the thing, we do need a single key that can be used for all those things. So we get PGP.

[growse]

> No one.

I thought everyone was "trying so hard to re-invent PGP".

> we do need a single key that can be used for all those things

We do? This is not obvious. Why does my disk encryption key need to be the same that I use to sign binaries that I release?

[lrvick]

It is hard enough for people to keep up with one keychain, let alone a dozen of them for every use case in their lives.

PGP keychains allow you to have a single 24 word mnemonic seed to recover your entire digital identity, data access, etc. The UX is strictly better than the commonly suggested hodge podge of flavor of the week alternatives.

Standards make interoperability a lot easier.

[sabedevops]

I've struggled with PGP with the idea that I can't quite express "I'm signing as this specific User ID by using this specific signing subkey"... The only way I've found to reliably express that is to maintain completely separate keys. Is there anything in the works to give ergonomics around this?

[lrvick]

You should only be signing other peoples keys with your master key which should never touch an internet connected operating system. Subkeys should have limited privileges and be easy to lose or rotate as needed, but can all live under the same master offline identity key, which acts like a personal CA.

[noman-land]

One thing I don't like about key signing is that

1. You reveal your social graph

2. Different instances of the key can be differently signed

For someone to sign your key that information has to be stored on your key or in a central location.

[purplehat_]

The first bit seems possibly solvable with private set intersection. You can publish a salted hash of everybody you trust, and I can compute hashes of everyone I trust with your salt to see if we have anyone in common. Then I check the signature corresponding to the salted hash I like, and hopefully it doesn't reveal anything you don't want to reveal.

I don't know if anyone has actually done this in practice. Does it work?

[lrvick]

Having a public graph is critical for trust in Linux distributions. All it means is a human met you and agreed you are human and signed your key. It does not imply you are friends.

It is pretty useful for someone totally outside the trust graph to be able to prove the key that just signed the latest release of stagex is only a couple steps away from the keys that sign debian and the Linux kernel. Keys that long predate AI.

Public trust accountability is exactly what we want from people responsible for the legos that make up the internet.

You can of course have private signature packets revealed as needed though.

[tptacek]

People are not Linux distributions.

[lrvick]

But Linux distributions are made of people.