On 7/17/19 5:40 AM, ronpunz wrote:
Reading this article,
https://latacora.micro.blog/2019/07/16/the-pgp-problem.html, it's clear
the authors have little to no confidence in the security or capabilities
of PGP encryption.
Is this article a scare mongering propaganda exercise or do they have
valid concerns about why we should not be using PGP? The seem to
advocate using OPENBSD's Signify - do we move to this?
I worry when I read articles like this, because they make some good
points (along with some bad ones) against PGP but their recommendations
often demonstrate a blindness to the things they're criticizing.
Case in point: 'Use Signal.' While Signal is a pleasure to use for many
people, its tied to identities in the telephone system, which is a
problem from the 1890s not 1990s. When I see this slip up, I start
worrying about the soundness of their other recommendations.
I also don't necessarily agree with the idea that many different
encryption tools should be used for many different purposes. This is
another red flag for me, because it hides deeper UX and compatibility
issues behind a veneer of simplistic apps.
Yet another red flag is the way the author treats some of PGP's problems
as specific to an old design, when really the problem is more
fundamental. Leaking metadata, for example, is a common problem that
bedevils even programs like Tor.
And yet another is arguing from the assumption that Web Of Trust is a
necessary ingredient in PGP usage. It isn't, and that fact dispels many
claims that PGP is too complex to use.
IMO, the reason we're having this bout of "don't use PGP" is the
keyserver vulnerability that enables the recent spate of DoS attacks.
This problem is rooted in design, but luckily doesn't run deep and is
therefore solvable. That's not to say I think PGP is just fine, but if
we're going to move beyond it and its (admittedly crummy) formats then
we should have something else to manage identity across a broad range of
use cases – we should have a proper replacement. Otherwise, I fear that
information security as a field will have failed.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/de86c214-a496-aa2d-dd61-e1620302ca27%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
