Thanks for your comprehensive reply. I think you're right, Signal isn't the be all and end all that some people think it is. Here's a comprehensive pro-PGP piece https://arstechnica.com/information-technology/2016/12/signal-does-not-replace-pgp/
On 7/17/19 11:11 AM, Chris Laprise wrote: > On 7/17/19 5:40 AM, ronpunz wrote: >> Reading this article, >> https://latacora.micro.blog/2019/07/16/the-pgp-problem.html, it's clear >> the authors have little to no confidence in the security or capabilities >> of PGP encryption. >> >> Is this article a scare mongering propaganda exercise or do they have >> valid concerns about why we should not be using PGP? The seem to >> advocate using OPENBSD's Signify - do we move to this? > > I worry when I read articles like this, because they make some good > points (along with some bad ones) against PGP but their > recommendations often demonstrate a blindness to the things they're > criticizing. > > Case in point: 'Use Signal.' While Signal is a pleasure to use for > many people, its tied to identities in the telephone system, which is > a problem from the 1890s not 1990s. When I see this slip up, I start > worrying about the soundness of their other recommendations. > > I also don't necessarily agree with the idea that many different > encryption tools should be used for many different purposes. This is > another red flag for me, because it hides deeper UX and compatibility > issues behind a veneer of simplistic apps. > > Yet another red flag is the way the author treats some of PGP's > problems as specific to an old design, when really the problem is more > fundamental. Leaking metadata, for example, is a common problem that > bedevils even programs like Tor. > > And yet another is arguing from the assumption that Web Of Trust is a > necessary ingredient in PGP usage. It isn't, and that fact dispels > many claims that PGP is too complex to use. > > IMO, the reason we're having this bout of "don't use PGP" is the > keyserver vulnerability that enables the recent spate of DoS attacks. > This problem is rooted in design, but luckily doesn't run deep and is > therefore solvable. That's not to say I think PGP is just fine, but if > we're going to move beyond it and its (admittedly crummy) formats then > we should have something else to manage identity across a broad range > of use cases – we should have a proper replacement. Otherwise, I fear > that information security as a field will have failed. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8fe7e79e-ba82-c0f0-5948-5dd7ea76e725%40riseup.net.
pEpkey.asc
Description: application/pgp-keys
