+1
Efail caused me to run across the criticism that Moxie Marlinespike wrote about GnuPG/OpenPGP in early 2015.
https://moxie.org/blog/gpg-and-me/It felt to me that without naming it, he'd focused on the email use case to the exclusion of others, missing those other niches Robert Hansen mentioned in his "Efail Postmortem".
Reading the Postmortem, I recalled another article about how being "mediocre" can actually be a good thing.
https://www.ribbonfarm.com/2018/04/24/survival-of-the-mediocre-mediocre/Poor things die for being ill-suited to purpose, cutting-edge things are often brittle and fail spectacularly when the problem varies too far from the design considerations. OpenPGP has maybe been so begrudgingly successful all this time because it's been /mediocre/ enough to remain flexible to adapt to changes in cryptography and best practices and discoveries about insecurities we weren't aware of in the past.
I think Efail has shown now that OpenPGP/GnuPG retains the flexibility to continue to adapt and maintain a well used and trusted standard for private and authenticated data and communications, but it won't achieve this if its evolution is frozen.
It seems to me that if the pearl-clutchers who would howl too loudly about breaking backwards compatibility were as concerned as they claim, they would realize that software evolves. But this evolution doesn't eradicate its past. GnuPG is open software. It's ganoo-pee-gee!
If you're a pearl-clutcher with a legacy use-case, perhaps it's time to really analyze that case. Do you have a darn good reason to want to expose yourself to creeping insecurity? Because its history won't be eradicated, if you /do/ have good reasons, you can maintain for yourself a legacy fork. To do that you may need to have certain skills or be willing to hire-out for them.
I think that's fair. It's free as in freedom, not beer, not support. For my vote, I think persons so situated might have suddenly imposed upon the larger community long enough, now that Efail has taught us something we may not have fully appreciated about the present state of OpenPGP and the way it's been pipelined with other tools.
I cannot accept that "Pretty Good Privacy" is at risk, through apathy and underfunding and WG failures, of becoming "Passivity Guaranteed Peril".
Robert signed off:
Never forget that we’re on the same side, and the people on the other side include tyrants and murderers. Let’s stick together.
Oh yes! From whatever corner you fear most a bogeyman might be lurking, one of the best ways to protect freedom and liberty is by ensuring that the general public always has a trustworthy cryptosystem at their disposal. Maybe it secures an oppressed group from a tyrant, maybe it authenticates a contract that existed after a dispute arises, maybe it's simply ensuring your new laptop isn't becoming co-opted to into making you an unwitting slave of cryptocoin pirates. These are all good reasons to register support.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
