This has been a mostly unproductive thread that has done a good job of avoiding the point of my original comment, which is that the archaisms in PGP are not merely a consequence of the GnuPG implementation, but also deeply embedded into the standard itself. I don't care if you feel like PGP is still a worthy tool (I don't think it is, but I get that we can go back and forth on that). You made (by implication) a false claim, and it was false in an important way, and it has now been falsified.
I have made no false claims or implications that I am aware of.
Mainly I was arguing at your implication that PGP is the wrong tool for any job as your link concluded.
I don't doubt you or a lot of people could build something better, but nobody has yet, and I doubt any will get it as widely adopted and supported end to end for all the use cases PGP is used for today. PGP is here to stay, and thus must be maintained and improved.
I don't see bike shedding about things that could have been done better historically in the spec itself as productive as there are no significant security problems with any of the active uses of PGP I use or am aware of in wide use today, if done with modern tools and with modern cipher defaults.
I would not recommend generating keys with GnuPG today any more than I would recommend using Internet Explorer. Advising against old broken implementations is not the same thing as saying we should abandon an established widely used cryptographic identity standard for which no comparable alternatives exist. Especially when alternative tooling with reasonable secure defaults exists now.
I doubt this discussion was productive for you or me, but hopefully it will be productive for others reading trying to make sense of their choices and tradeoffs.
I do appreciate people like you keeping me honest on this stuff regardless.
I believe lrvick said that the spec isn't perfect but works fine in practice, and advises against old broken implementations of it. We will see. In any case, imperfection does not imply fundamental flaw.
I might have missed it. Have you elaborated on why you think OpenPGP is fundamentally flawed? Do you know of any GPG replacements (or rather, OpenPGP replacements)? I want encryption, signing, key management, email integration (optional), multiple recipients, subkeys, revocation certificates, web of trust (even if unused), smart card support, and so on.
"Works fine in practice" is not responsive to "outmoded fundamentally, not just by one implementation". That commenter is substituting their own rooting interest in a particular outcome with a straightforward descriptive claim about the standard.
I will not, because I joined this subthread to make a specific point (that the other commenter was simply wrong that the archaisms in PGP/OpenPGP are a mere consequence of GnuPG and avoidable by avoiding GnuPG), and this whole subthread has been an exercise in avoiding that point and switching to other more tractable arguments. I'm sorry, but I'm not interested.
Cool, so we got two people here who kept saying "PGP is shit", but when asked for an alternative, they weasel out with "no thanks", or "I will not [say]"? Yeah, okay. Got it. I hope you realize it weakens everything you have said. Hell, there is nothing to weaken to begin with!
> (that the other commenter was simply wrong that the archaisms in PGP/OpenPGP are a mere consequence of GnuPG and avoidable by avoiding GnuPG)
Didn't read it like that though, it read like "OpenPGP is shit", and I could quote you where you are claiming exactly that:
> outmoded fundamentally, not just by one implementation
While obviously I can present alternatives to OpenPGP and have done so, including on this thread, it's important that you understand that this isn't how engineering works. If something is observed to be flawed, it's flawed. Whether or not alternatives are presented with the observation doesn't change its validity.
I understand what you are saying. Can you tell me in what ways OpenPGP is flawed and what the alternative is to achieve everything GPG supports? Legit question. If it does everything GPG does, but does it better, then people (including me) may switch.
I'm really not interested in whether you switch. To me, for the problem domains we're really talking about, this is like talking someone out of wearing a Kangol hat. You do you.
This is absurd. You have not told me (or anyone else for that matter) what to switch to and why.
You cannot be taken seriously. At this point I think you are full of shit.
If you care about security, you should care about people switching, but you do you. Keep it to yourself, keep it a secret, and keep bitching about OpenPGP, I suppose.
