[lrvick]

I am not saying it is not a problem worth solving. I am actually saying PGP actually solves the problem of which key actually belongs to which person.

There are dozens of keys claiming to be Torvalds that lack credible endorsements from high reputation identities, so those are easily ignored. The one that has been signing the Linux kernel for years and signed by many people putting their reputations on the line is the one we care about.

It is intuitive and does not need a math degree to understand.

[tptacek]

Like I said: this is to cryptographic identity what the one-time pad is to message encryption. Simple and unuseful.

[lrvick]

It is unuseful to people with threat models that allow for entrusting their social graph to centralized identity systems managed by centrally controlled software supply chains that any compromised insider could manipulate.

For me and thousands of other Linux distro maintainers that maintain the core software supply chains and infrastructure that runs the internet, we cannot afford centralized trust graphs. Nothing else comes close to solving the problems PGP solves.

That is why it is an active IETF standard with modern cryptography and several actively maintained and widely used implementations.

[akerl_]

Why do I trust the people who are putting their reputations on the line? If they either screwed up or are malicious, I guess I'm just out of luck?

[lrvick]

If you can manipulate dozens of Linux maintainers to sign a key maliciously, we have bigger problems. Like a complete failure of the internet.

Decentralized human trust, or centralized corporate trust. Pick one.

[akerl_]

Again, this works when your userbase is a small group of highly technical people who already have social connections to each other. But then again, so would just swapping Signal security numbers.

It completely and totally collapses in the face of non-technical users or broad adoption, which is one of multiple reasons that PGP remains a thing that a small set of people use.

[tptacek]

Just to be pedantic about this: it does not in fact work; PGP has failed those kinds of user groups and platforms over and over again over the last 3 decades.

[lrvick]

And yet many of the highest risk systems that exist, the whole foundation of the internet, several governments, major corporations, and thousands of high risk individuals rely on it because centralized options will never be agreed to by all parties, for good reason.

I have lost count of the orgs I have personally trained to use PGP properly in recent years.

In spite of your claims, PGP solves the problem it was designed to solve for the groups that need it most and the tooling is getting rapidly more accessible to a wider audience with more development energy today than it has ever had.

This is not 2016 PGP we are talking about anymore.

[tptacek]

That's a weird thing to say. Yes, it is? What are you claiming is different about it? In fact, there are ways in which it has regressed from 2016's incarnation.