I've done similar work and would not describe myself as a cryptography engineer, just a systems person with a security specialization. (I've been pretty consistent about this point on HN, this isn't just something I'm saying because it's convenient for the thread).
When you worked with those cryptographers, did any of them stick up for PGP? Which ones? I'm not making up the attitude I'm describing.
How do you respond to the PGP format points raised in that post? How do you respond to the prevalence of the MDC construction?
> When you worked with those cryptographers, did any of them stick up for PGP? Which ones? I'm not making up the attitude I'm describing.
I am not going to drag anyone else or their reputations into this conversation but they can chime in if they want to.
The general vibe I get about PGP among the cryptography engineers in my universe, that I share, is that it is an awkward spec that would have never been designed today, and has a lot of legacy ciphers that should never be used anymore that modern tooling must not expose, etc. But also, that re-inventing very widely used and established standards and tools that are secure enough for those use cases is rarely worth it.
PGP is the bootstrap trust layer for the internet, governments, linux distros, and critical infrastructure all over the world and it is not going away, so might as well take advantage of the compatibility wins of modernizing it.
We would have designed HTTP and TLS and the internet as a whole a -lot- differently today too. They are broken as hell but the job is to improve and upgrade even when it would be more fun to start over. In hindsight, everything is shit. But I am not about to try to make a new internet and convince people to use it. That is more complex to do than living with and working around the early dumb design choices when they can be made secure.
We do not just abandon HTTP and TLS, we navigate early awkward choices and we debate and iterate on new versions of standards. Similarly, many teams including mine, put in the work to modernize PGP tooling, and the OpenPGP working group still exists and still iterates on the standard (Though admittedly not as much as many of us would like).
It is my general opinion that for all the faults of PGP, it is still the best personal cryptographic identity anchored encryption and signing solution we have, especially when combined with smartcards and keyoxide. From there a rich ecosystem of tooling builds on top of that.
PGP (with modern tooling and ciphers) is much more sensible to recommend overa fragmented set of one trick tools with no key discovery, validation, or backup strategy that are bound to leave users with lost, stolen, or impersonated keys.
Anyways, at this point my feeling is that you've essentially conceded the actual point I was making (that PGP is itself also a shitshow of 1990s cryptography), and answered that you just don't care that it is. That's a perfectly coherent point to make and not one I'm super interested in litigating today.
I have only read that single post by that author and it passed my logic smoke test on a first pass. I am not commenting on any other work by that author and this seems like an ad hominem argument rather than refuting any content of that article.
Also I never actually disagreed that PGP as a specification, has a lot of 1990s holdovers given its history and age. Thankfully we have modern tooling now with reasonably secure defaults.
I was mostly arguing against the article you shared whose conclusions I absolutely disagree with.
IMO OpenPGP, however aged the spec design, when used with modern tools in turn using the unified smartcard interfaces, is still a way better choice than a hodge podge of ssh keys, minisign, age, openssl, etc without any standardized solutions for key revocation, rotation, backup, discovery, verification, etc.
This has been a mostly unproductive thread that has done a good job of avoiding the point of my original comment, which is that the archaisms in PGP are not merely a consequence of the GnuPG implementation, but also deeply embedded into the standard itself. I don't care if you feel like PGP is still a worthy tool (I don't think it is, but I get that we can go back and forth on that). You made (by implication) a false claim, and it was false in an important way, and it has now been falsified.
I have made no false claims or implications that I am aware of.
Mainly I was arguing at your implication that PGP is the wrong tool for any job as your link concluded.
I don't doubt you or a lot of people could build something better, but nobody has yet, and I doubt any will get it as widely adopted and supported end to end for all the use cases PGP is used for today. PGP is here to stay, and thus must be maintained and improved.
I don't see bike shedding about things that could have been done better historically in the spec itself as productive as there are no significant security problems with any of the active uses of PGP I use or am aware of in wide use today, if done with modern tools and with modern cipher defaults.
I would not recommend generating keys with GnuPG today any more than I would recommend using Internet Explorer. Advising against old broken implementations is not the same thing as saying we should abandon an established widely used cryptographic identity standard for which no comparable alternatives exist. Especially when alternative tooling with reasonable secure defaults exists now.
I doubt this discussion was productive for you or me, but hopefully it will be productive for others reading trying to make sense of their choices and tradeoffs.
I do appreciate people like you keeping me honest on this stuff regardless.
I believe lrvick said that the spec isn't perfect but works fine in practice, and advises against old broken implementations of it. We will see. In any case, imperfection does not imply fundamental flaw.
I might have missed it. Have you elaborated on why you think OpenPGP is fundamentally flawed? Do you know of any GPG replacements (or rather, OpenPGP replacements)? I want encryption, signing, key management, email integration (optional), multiple recipients, subkeys, revocation certificates, web of trust (even if unused), smart card support, and so on.
"Works fine in practice" is not responsive to "outmoded fundamentally, not just by one implementation". That commenter is substituting their own rooting interest in a particular outcome with a straightforward descriptive claim about the standard.
I will not, because I joined this subthread to make a specific point (that the other commenter was simply wrong that the archaisms in PGP/OpenPGP are a mere consequence of GnuPG and avoidable by avoiding GnuPG), and this whole subthread has been an exercise in avoiding that point and switching to other more tractable arguments. I'm sorry, but I'm not interested.
Cool, so we got two people here who kept saying "PGP is shit", but when asked for an alternative, they weasel out with "no thanks", or "I will not [say]"? Yeah, okay. Got it. I hope you realize it weakens everything you have said. Hell, there is nothing to weaken to begin with!
> (that the other commenter was simply wrong that the archaisms in PGP/OpenPGP are a mere consequence of GnuPG and avoidable by avoiding GnuPG)
Didn't read it like that though, it read like "OpenPGP is shit", and I could quote you where you are claiming exactly that:
> outmoded fundamentally, not just by one implementation
While obviously I can present alternatives to OpenPGP and have done so, including on this thread, it's important that you understand that this isn't how engineering works. If something is observed to be flawed, it's flawed. Whether or not alternatives are presented with the observation doesn't change its validity.
I understand what you are saying. Can you tell me in what ways OpenPGP is flawed and what the alternative is to achieve everything GPG supports? Legit question. If it does everything GPG does, but does it better, then people (including me) may switch.
I'm really not interested in whether you switch. To me, for the problem domains we're really talking about, this is like talking someone out of wearing a Kangol hat. You do you.
This is absurd. You have not told me (or anyone else for that matter) what to switch to and why.
You cannot be taken seriously. At this point I think you are full of shit.
If you care about security, you should care about people switching, but you do you. Keep it to yourself, keep it a secret, and keep bitching about OpenPGP, I suppose.
When you worked with those cryptographers, did any of them stick up for PGP? Which ones? I'm not making up the attitude I'm describing.
How do you respond to the PGP format points raised in that post? How do you respond to the prevalence of the MDC construction?