[akerl_]

Again, this works when your userbase is a small group of highly technical people who already have social connections to each other. But then again, so would just swapping Signal security numbers.

It completely and totally collapses in the face of non-technical users or broad adoption, which is one of multiple reasons that PGP remains a thing that a small set of people use.

[tptacek]

Just to be pedantic about this: it does not in fact work; PGP has failed those kinds of user groups and platforms over and over again over the last 3 decades.

[lrvick]

And yet many of the highest risk systems that exist, the whole foundation of the internet, several governments, major corporations, and thousands of high risk individuals rely on it because centralized options will never be agreed to by all parties, for good reason.

I have lost count of the orgs I have personally trained to use PGP properly in recent years.

In spite of your claims, PGP solves the problem it was designed to solve for the groups that need it most and the tooling is getting rapidly more accessible to a wider audience with more development energy today than it has ever had.

This is not 2016 PGP we are talking about anymore.

[tptacek]

That's a weird thing to say. Yes, it is? What are you claiming is different about it? In fact, there are ways in which it has regressed from 2016's incarnation.

[lrvick]

Where even to begin.

A renewed IETF working group that aggressively deprecated legacy ciphers and mandated modern ones with optional PQ crypto support (RFC 9580). Lots of actively developed rust implementations like rPGP, rsop, rpgpie, sequioa. Easy key provisioning and backup with smartcard support via keyfork. Smartcards with rust firmware by Nitrokey. Modern key distribution and trust bootstrapping via openpgp-ca, hagrid, keyoxide, etc.

GnuPG is admittedly garbage, but also that has not been a valid implementation of PGP specifications for a while and no one should use it anymore. PGP != GPG

I would strongly suggest taking a hard look at the last decade of thankless work going on to modernize the PGP ecosystem we all rely on directly or indirectly.

Currently writing up the above and a lot more in detail to refute years of outdated rhetoric on this topic so we can start having more useful conversations about it.

[akerl_]

It's thankless because it's a bunch of folks at the county fair running around putting lipstick on all the pigs.

Having a bunch of implementations of an omnibus package that tries to be a crypto swiss army knife, written almost exclusively without the input of cryptographers, is actually not a desirable goal.

[lrvick]

And none of the back seat drivers ever have alternatives to suggest that solve the same problems while having bothered to endure the IETF standardization process, and thus PGP will continue to be the trust foundation of the software supply chain of the internet for the forseeable future.

This fragile network we all use is made of a mountain of pigs that continually need their lipstick reapplied by people that do it for free or near free out of a desire to keep the whole thing running for everyone.

Said people even do it for the users that stay at safe distance pointlessly saying "We should go back in time and build it differently in unspecified ways!".

[tptacek]

"It's great! You just have to not use the de facto standard implementation everybody uses."

Got it.

[akerl_]

And also everyone you interact with has to use an alternate implementation!

[lrvick]

GnuPG is not the final say for PGP any more than IE6 was the final say for the web. Migrating off IE6 took a while and so will migrating legacy systems off GnuPG. New users of PGP are thankfully mostly using new gen reasonably secure tools.

Just like IE6, GnuPG abandoned the global standardization processes and in doing so forced an expensive migration to successors.

Global changes on the internet take decades in part because of all the people far removed from the process spreading outdated information and demanding we give up on standards and move the whole world to centralized solutions that do not even solve the same problems, like Java Applets, Adobe Flash, or Signal.

Meanwhile those standardizing and rolling out longer term solutions roll their eyes and keep doing the work.