[akerl_]

Some notes:

Cryptography basically always explodes at the joinery. One of the guiding principles of modern cryptographic tools is designing implementations that do not have footguns, where the default behavior solves the default threat model and dangerous things are outright impossible. This has been apparent in the string of GPG security failures over the past several years. It's not that somebody breaks RSA or AES. It's that the tools willingly emit bad data because of bad error handling, and then users are told they were holding it wrong and it's their fault for choosing a bad implementation.

Maybe it's worth asking if the reason cryptographers aren't engaging with the work to "modernize" PGP, and that instead we're seeing them building and shipping individual focused solutions to specific workflows, is perhaps because their constructive feedback is akin to ~"you are fundamentally trying to prop up a house of cards that should not exist"

[lrvick]

So you are saying that the solution is that we go to the majority of active and reputable PGP keyholders, Linux maintainers, and tell them to stop signing the binaries that run the internet, and just yolo, because that worked so well for NPM?

I really hope I am misunderstanding you.

[akerl_]

Yes, you’re misunderstanding me.

I’m saying several things, but since you’re really focused on Linux package signing, I’m saying about that: PGP is a bunch of theatre there and distros should use minisign instead.

Linux package signing is a great example of where PGP is goofy. Users of Linux distros get their root of trust by downloading a keyring from the exact same place they download the distro ISO. To a rounding error, no users are checking a trust path from them to a distro maintainer, nor does the trust path between one maintainer and another matter.

Distros are themselves centralized entities. They already run bug trackers and forums and centralized package repos that necessitate an authentication system.

So PGP effectively becomes a clunky behemoth whose output is just “every package has a signature that is checked against a centrally curated set of keys that get shipped around to users”.

Moving to minisign would be a strict improvement.

[lrvick]

> PGP is a bunch of theatre there and distros should use minisign instead.

Okay so drop the IETF standard, web of trust, smartcard support, and external key discovery mechanisms to prove the whole keychain was not swapped out with a fake one, and just have everyone generate minisign keys exposed to system memory with no trust link backwards, and then sign things with probably the same algorithms. But then we cannot sign commits or code reviews with minisign because non standard, so i guess use ssh keys for those, and then maintain multiple keychains for each person.

Minisign is strictly worse in every way. Your camp will never convince Linux maintainers to switch with this pitch.

Many of us actually do verify the web of trust, extensively. I have many Linux maintainers in my own keychain independent from their usage in linux distros. Minisign has no such key distribution and accountability system.

[akerl_]

> Okay so drop the IETF standard, web of trust, smartcard support, and external key discovery mechanisms to prove the whole keychain was not swapped out with a fake one, and just have everyone generate minisign keys exposed to system memory with no trust link backwards, and then sign things with probably the same algorithms. But then we cannot sign commits or code reviews with minisign because non standard, so i guess use ssh keys for those, and then maintain multiple keychains for each person.

Yes, all of that.

[lrvick]

At this point I can only conclude you are a troll, but if you are actually serious, I challenge you to prove it. I put in the work in the community for my side of this debate.

I would suggest you pick one of the mainline Linux distros that relies on PGP and make a detailed RFC with a plan to downgrade their security to your non standard minisign/ssh solution with private keys exposed in system memory as you propose, and make a convincing case why it is worth it and what advantages they get for doing so.

Let me know if you do. I am sure it will be a great case study.

[akerl_]

Thankfully OpenBSD did my work for me:

https://www.openbsd.org/papers/bsdcan-signify.html