On 7/17/19 1:11 PM, Chris Laprise wrote: > On 7/17/19 5:40 AM, ronpunz wrote: >> Reading this article, >> https://latacora.micro.blog/2019/07/16/the-pgp-problem.html, it's clear >> the authors have little to no confidence in the security or capabilities >> of PGP encryption. >> >> Is this article a scare mongering propaganda exercise or do they have >> valid concerns about why we should not be using PGP? The seem to >> advocate using OPENBSD's Signify - do we move to this? > > I worry when I read articles like this, because they make some good > points (along with some bad ones) against PGP but their recommendations > often demonstrate a blindness to the things they're criticizing. > > Case in point: 'Use Signal.' While Signal is a pleasure to use for many > people, its tied to identities in the telephone system, which is a > problem from the 1890s not 1990s. When I see this slip up, I start > worrying about the soundness of their other recommendations. > > I also don't necessarily agree with the idea that many different > encryption tools should be used for many different purposes. This is > another red flag for me, because it hides deeper UX and compatibility > issues behind a veneer of simplistic apps. > > Yet another red flag is the way the author treats some of PGP's problems > as specific to an old design, when really the problem is more > fundamental. Leaking metadata, for example, is a common problem that > bedevils even programs like Tor. > > And yet another is arguing from the assumption that Web Of Trust is a > necessary ingredient in PGP usage. It isn't, and that fact dispels many > claims that PGP is too complex to use. > > IMO, the reason we're having this bout of "don't use PGP" is the > keyserver vulnerability that enables the recent spate of DoS attacks. > This problem is rooted in design, but luckily doesn't run deep and is > therefore solvable. That's not to say I think PGP is just fine, but if > we're going to move beyond it and its (admittedly crummy) formats then > we should have something else to manage identity across a broad range of > use cases – we should have a proper replacement. Otherwise, I fear that > information security as a field will have failed. >
I think I agree with most of your criticism of the critique... And to me, I have long felt that PGP is problematic, and not always the best to use, and should probably be replaced. But I do not believe that the replacement has arrived yet. And this article points out, in a lot of places, that to benefit from security systems, you have to use them correctly. And I think I know my way around PGP fairly well. I've used it in a few different ways for quite some years now. If I'm going to learn a new system, I'll mess up, a lot. And it's likely I'll find myself the only user of this new, shiny system. I do test a lot of new systems. But I'm not in any way ready to leave GPG behind just yet. It's so deeply ingrained in our ecosystem that it'd be hard to navigate without it. Whatever we replace it with doesn't just have to be better, or more usable. It has to be used. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/96606060-89a9-6c45-1eba-3f500667abe6%40nonbinary.me.
0x6648B5C5E394CC24.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
