[tptacek]

If everyone is moving to new software, in a migration that is barely 5% underway, why would you migrate to PGP of all possible cryptosystems? It's 2026.

I'd pose this challenge to you: find the most reputable cryptography engineer or academic cryptographer you can find that believes this is a good idea. I'd be interested if you could find even one. Fair warning: some of my confidence talking down PGP comes from knowing what the conventional wisdom among cryptographers is about the PGP cryptosystem.

[lrvick]

New software that is compatible with any keys generated with good-enough ciphers from the last decade. Compatibility wins.

If we are going to play the appeal to authority game, I could just as easily challenge you to find any willing to publicly point out any serious issues with the current PQ focused OpenPGP standards with implementations using libraries by accomplished cryptographers. I am sure they would appreciate constructive feedback. Encourage them to join the specification process and recommend specific alternatives and migration paths.

I also wonder if we could find any that would not scrap TLS DNS and a lot of IETF protocols that run the internet today if they could. Decentralized protocols are messy but anything that tries to replace them without first taking the time to understand the current uses and migration path has no hope of success, and that is brutally difficult political work full of careful compromises.

Famous cryptographers have long advocated for things like tcpcrypt, and I even agree with them, but it will probably never happen. Too disruptive. We are still rolling out IPv6 FFS. When faced with an established global internet, compatible lower disruption migration steps are the only way forward as most experienced security engineers would begrudgingly agree.

Cryptographers should absolutely focus on the security of the ciphers, but when it comes to applications, and human privacy and security goals, and human to human trust bootstrapping protocols, the conversation has to get a lot wider. It is normally dominated by security engineers like us close to the hands on use cases, and the people doing the hard work in the working groups and tool development circles that understandably wish to quietly read different takes from a safe distance.

[akerl_]

Some notes:

Cryptography basically always explodes at the joinery. One of the guiding principles of modern cryptographic tools is designing implementations that do not have footguns, where the default behavior solves the default threat model and dangerous things are outright impossible. This has been apparent in the string of GPG security failures over the past several years. It's not that somebody breaks RSA or AES. It's that the tools willingly emit bad data because of bad error handling, and then users are told they were holding it wrong and it's their fault for choosing a bad implementation.

Maybe it's worth asking if the reason cryptographers aren't engaging with the work to "modernize" PGP, and that instead we're seeing them building and shipping individual focused solutions to specific workflows, is perhaps because their constructive feedback is akin to ~"you are fundamentally trying to prop up a house of cards that should not exist"

[lrvick]

So you are saying that the solution is that we go to the majority of active and reputable PGP keyholders, Linux maintainers, and tell them to stop signing the binaries that run the internet, and just yolo, because that worked so well for NPM?

I really hope I am misunderstanding you.

[akerl_]

Yes, you’re misunderstanding me.

I’m saying several things, but since you’re really focused on Linux package signing, I’m saying about that: PGP is a bunch of theatre there and distros should use minisign instead.

Linux package signing is a great example of where PGP is goofy. Users of Linux distros get their root of trust by downloading a keyring from the exact same place they download the distro ISO. To a rounding error, no users are checking a trust path from them to a distro maintainer, nor does the trust path between one maintainer and another matter.

Distros are themselves centralized entities. They already run bug trackers and forums and centralized package repos that necessitate an authentication system.

So PGP effectively becomes a clunky behemoth whose output is just “every package has a signature that is checked against a centrally curated set of keys that get shipped around to users”.

Moving to minisign would be a strict improvement.

[lrvick]

> PGP is a bunch of theatre there and distros should use minisign instead.

Okay so drop the IETF standard, web of trust, smartcard support, and external key discovery mechanisms to prove the whole keychain was not swapped out with a fake one, and just have everyone generate minisign keys exposed to system memory with no trust link backwards, and then sign things with probably the same algorithms. But then we cannot sign commits or code reviews with minisign because non standard, so i guess use ssh keys for those, and then maintain multiple keychains for each person.

Minisign is strictly worse in every way. Your camp will never convince Linux maintainers to switch with this pitch.

Many of us actually do verify the web of trust, extensively. I have many Linux maintainers in my own keychain independent from their usage in linux distros. Minisign has no such key distribution and accountability system.

[akerl_]

> Okay so drop the IETF standard, web of trust, smartcard support, and external key discovery mechanisms to prove the whole keychain was not swapped out with a fake one, and just have everyone generate minisign keys exposed to system memory with no trust link backwards, and then sign things with probably the same algorithms. But then we cannot sign commits or code reviews with minisign because non standard, so i guess use ssh keys for those, and then maintain multiple keychains for each person.

Yes, all of that.

[tptacek]

I'm going to take "the appeal to authority game" as an agreement that you think it's unlikely you'd find such a person to vouch for a modernized rebirth of PGP, or really any continued use of PGP.

[lrvick]

I could name a few off the top of my head, some of which have audited my teams work, but I do not want to put specific people on blast. Most cryptographers I know tend to prefer math to internet controversy and I do not blame them.

That said protonmails lead cryptographer has been quite public about his support of the refresh and helping lead some efforts https://proton.me/blog/openpgp-crypto-refresh

I have dozens of more examples of high risk orgs with cryptography teams relying on PGP I am compiling for my post right now. Added a bunch of extra ones just for you.

Honestly from my side of the table, it is the anti-pgp camp that appears to be the loud minority. The world quietly runs on "dead" PGP technology so deeply that any calls for a complete replacement without any compatibility or trust transition path are clearly under-researched and should not be taken seriously.

I have a hard time imagining many cryptographers deeply aware of the impossibility of any rapid transition away from PGP would suggest we abandon the migration to secure modern ciphers now.

A lot of people would like to -eventually- move away from openssl too, myself among them, but not updating to openssl 4 and beyond in the short term would be a world burn kind of move.