[email protected] wrote in <[email protected]>: |> Demi Marie Obenour (she/her/hers)
|> In light of the recent GnuPG vulnerabilities, I remembered that OpenPGP |> is almost never the right choice. CMS/PKCS#7 isn't any better, and |> X.509 is also bad except that its extremely wide deployment in TLS |> keeps it alive. |> |> See https://www.latacora/com/blog/2019/07/16/the-pgp-problem/ |> |> and https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/. |then what do you suggest to use? i hear it all the time "pgp sucks" \ |but what's the alternative huh? I know a gentle and forgiving Russian who said (since "crypto saves the world" simply quoting all this shamelessly) Years ago I started to recommend age (https://age-encryption.org/) for file encryption and "ssh-keygen -Y" for making ed25519 signatures. But both of them do not support post-quantum cryptographic algorithms. [.] As well as I have not tried it, but read very carefully the format/protocol specification of https://saltpack.org/ and it is definitely done right and pretty minimalistic. Especially in favour of MessagePack instead of JSON/CBOR (as also used by saltpack). Where this all would end when year++ long working group workoutss get simply bypassed by working implementations, one can wonder. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
