Comments on "Giving up on PGP"

These are some slightly-expanded hot takes regarding I'm giving up on PGP (later republished at Ars)

Several friends were discussing this last week & so I thought to pull my own comments from that discussion and extend them.

Lots of emphasis in that on private communication, instead of on verifiable communication.

PGP signing as an integrity check is not entirely divorced from the infelicities mentioned, but it is different.

This is the point I make in class to tie it into widespread FOSS usage: Attribution is crucial to FOSS projects because copyright can only be held/defended by an identifiable entity. This is a greater concern for copyleft projects, but the ability to use even permissibly-licensed projects could be attacked by someone who lays plausible claim to code that made it into such a project without clear and countervailing provenance.

Turns out, for secret communication, attribution is often something you want to be ephemeral (eg, repudiability is a feature of Signal etc). But secure communication is a broader category than just secret communication: Verifiable integrity checking is probably the biggest use of PGP and the one Valsorda seems to have been disinterested in. He may not have ever bothered to trace a path in the strongly-connected set between keys, but its not clear why that should impress any of us who have.

Key management is a hassle, yes. PGP was designed before the Internet was even much of a thing, and so current Internet-native tools should of course make routine management easier in comparison, or even automated. Different tools for different jobs. The hard parts surrounding key exchange are not, as it happens, necessarily all technical in nature, which puts a limit on what even can be done.

Again, this goes back to that question of use cases: for PGP having been used in the past for signing, the hassle matters less.

For compromised PGP keys used in integrity checking, you wouldn't trust a signature from a revoked key going forward, is all.

Pages