
PGP needs to be retired in honor - mstef
https://www.ctrlc.hu/~stef/blog/posts/on_pgp.html
======
bubblethink
>"Consider your average investigative journalist or whistleblower, with
windows or a mac, that they haven't updated because then their kids favorite
game doesn't run anymore or they simply don't want windows 10. .... This makes
forward secrecy a mandatory requirement, as this implies that the malware has
to be constantly active and thus also enhances chances of detection and
mitigation."

This is a bit of a straw-man argument. Forward secrecy or not, if you can get
root on the client device, you own everything. So if you are a
journalist/whistleblower, and have invested the effort to learn PGP, you
should use Tails or something more appropriate for your job than windows or a
mac.

Edit: This may be a good use case for hardware support for trusted execution
(Intel SGX), along with all the other nasty features that it brings (DRM). The
threat model for trusted execution is that the OS cannot be trusted whereas
the app is sacrosanct.

~~~
nemothekid
So for those us that need to run Windows/OSX to run software, like Photoshop,
for our job, we should just give up on PGP? Seems like a supporting argument
for the article then.

~~~
verytrivial
Your argument comes down to the threat model. A journalist whom also uses
Photoshop is free to use whatever system they have sufficient trust in for the
nature of the communication at hand.

If they're likely to be killed because someone reads the content of their
messages, they should easily be able to weigh that cost against needing to
boot of USB every now and again.

So that said, if you use crypto-system X on a machine you cannot trust, crypt-
system X will not be able to protect you very much.

~~~
nemothekid
I understand the threat model. However that notion implies that those of us
who aren't at risk of death over our emails should give up PGP. Given that (I
assume) most of us aren't at risk of murder by the nation-state, PGP is dead.

I would prefer a solution where everyone could reasonably get end-to-end
encrypted emails. Unfortunately, given the unfitness of PGP for this goal,
coupled with recent work in the space, it looks like we will either get
plaintext over decentrailzed email, or e2ee inside walled gardens.

~~~
verytrivial
There is nothing stopping you from having more than one identity. If you don't
mind too much if malware has your PGP details, then all good. If you would
like a more way to securely store these details for other sorts of
communication, perhaps a different machine, a live-CD or hardware token[1][2]
can be justified.

I think it is also worth remembering that even the most liberal western
democracies have laws that one way or another prevent people from keeping
secrets from the law. If everyone has it, and uses it, and it cannot be back-
doored, it will be banned rather quickly IMHO. And the people who don't care
about privacy -- i.e. most everyone -- won't care about crypto being banned
either after the right wing press is done with them. (Restated: we shouldn't
force people to close their curtains any more than we force them to open
them).

I'm rambling, sorry.

Both of these might also work with your phone via NFC. [1]
[https://www.fidesmo.com/](https://www.fidesmo.com/) [2]
[https://www.yubico.com/products/yubikey-hardware/yubikey-
neo...](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/)

------
verytrivial
I think the title is a little inflammatory. The conclusion does not say we
should stop using PGP but consider the weakness inherent in its operating
model and assumptions when evaluating future replacement. I think it is fair
to say that the world is still waiting for said replacement, and until that
arrives, PGP still has a number of valuable properties, one of which being _it
exists_.

~~~
mstef
the listed examples all exist. signal is already more widely used than pgp
ever was in the last 25 years.

~~~
datatan
Thats an impossible statement to prove. Signal is centralized with a concrete
list of users. PGP is decentralized with no possible way of knowing how many
use it or dont

~~~
mstef
count the keys on the keyservers, apply some multiplier, chances are that it's
still less than signal users today.

~~~
OJFord
> _PGP is decentralized with no possible way of knowing how many use it_

> _..., apply some multiplier, ..._

You glossed over that like it was nothing. Let me rephrase GP: "... with no
possible way of knowing the multiplier".

Obviously there exist k such that for n keys on "the keyservers" (we'll have
fun enumerating those too) and s signal users, k*n > s.

~~~
mstef
according to
[http://keys.mayfirst.org/pks/lookup?op=stats](http://keys.mayfirst.org/pks/lookup?op=stats)
there's currently 4594571 keys on the bulk of public keyservers. considering
the rumors that facebook and others also do signal and their user base is
around a rumored billion, the k that i glossed over is around 217. even if we
assume that there's dark masses that never ever used a keyserver, we ignore
the fact that out of those 4.5 million pgp keys most are expired, revoked or
simply lost, so the active keys on the keyservers are probably much less, and
thus k is also much bigger.

------
mc42
My biggest point of contention with this is... what should replace it? PGP is
the current and retroactive psuedo-standard for verification for everything
from email to code to builds.

Any replacement would have to be at least semi-compatible, so as not to break
the (likely) hundreds of solutions relying on and expecting PGP.

~~~
verandaguy
I used to be skeptical about this... but if the Signal protocol sees more
widespread adoption outside of the Signal app and Whatsapp, it could be a good
fit.

I'm very open to hearing about reasons why this wouldn't be the case, though.

~~~
CaptSpify
AFAIU, the Signal protocol doesn't work with email, only with sms. Am I
mistaken in this?

~~~
mstef
the protocol is very generic and does not require anything related to phones.
it is actually 3 parts, a key exchange, a signature mode and a ratchet. how
you combine these is up to you. the app is one way to combine them with
phones. there's other ways to use the protocol, that could also be applied to
emails

------
falcolas
Perhaps I'm just out of touch, but I'm not familiar with any of the
alternative tools they mentioned. If we retire PGP (and its GNU clone), what
widely available tool should we use in its stead?

~~~
gregoryrueda
Signal? Some paid services seem to be blossoming, see
[https://protonmail.com](https://protonmail.com)

~~~
falcolas
Signal is not much of a PGP replacement. There's a lot that PGP can do that
Signal can't: signing, encryption of large blobs at rest, and key management.

I use PGP as part of my backup solution, encrypting my backups at rest with an
asymmetric key. I can't do that with Signal.

~~~
tptacek
Signal does a better job of practically everything PGP does with regards to
message encryption. Yes, PGP is more useful for encrypting files or signing
updates. I agree that it's too early to write of PGP for those applications.
But people should use Signal instead of PGP for message encryption.

~~~
Freak_NL
> But people should use Signal instead of PGP for message encryption.

Signal the protocol or Signal the service? There does not appear to be a
mature FOSS toolchain for the former that can replace gnupg and
Thunderbird/Enigmail, and the latter is only available on Android and IOS
smartphones.

~~~
tptacek
Don't use email to send secret messages.

~~~
thaumasiotes
Any chance you could elaborate on this? What about email is inimical to secret
messages? Why are they less secret over email than through some other medium?

------
zobzu
Another "I don't think PGP is good enough" and "here's all these things"

Yet none fully replaces PGP yet. Before you actually retire PGP, maybe you
need one of these projects to finish a real, complete, reviewed and high
quality replacement ;-)

~~~
mstef
some of these tools actually fully replace pgp (see opmsg for example) however
that is actually a very low bar to master. it seems pgp is seen as a silver
bullet handling all use-cases like a charm, this is far from reality, actually
it fails in many cases, and specialized tools might actually fit the purpose
much better, also surpassing pgp in their special niche.

------
platz
> hopefully there'll be more and better tools

Good criticism, but we need an actual plan for "repeal and replace", rather
than "hope" for better tools.

------
krick
I started reading to know what's wrong with PGP, but it very quickly escalated
to the discussion about making educated bets about cryptography as a whole. I
think this is hugely important topic and it is a real shame this is not being
discussed more. Maybe security people a more conscious about that (I surely
hope so), but general public doesn't seem to be. And by "general public" here
I actually mean self proclaimed paranoids and not your grandma or a
girlfriend. We talk a lot about if something is proclaimed secure by so-called
experts, about theoretical weaknesses of Telegram or something, monitor
important 0-days, buzz about how bad it is to give all your private data to
facebook or google and how fucked we all are. But we rarely seriously talk
about who our adversaries really are, what exactly we are trying to protect
and if we're using the right tools for that. About making educated bets. And
in the end of the day, this is all it is actually about — making educated
bets. Because not all our data, not all our accounts are equally important,
and they are not equally important to the different kinds of adversaries. So
the only way to be somewhat secure is to recognize, that there's no absolute
security and we cannot protect everything. So better start taking it
consciously and focusing on what's really important.

------
sildur
Agreed, PGP is dead, long live to GnuPG!

~~~
dmix
GPG is still the domain of nerds. But yes, we all still use email and as long
as we do I will use GPG with my coworkers who know how.

~~~
nickpsecurity
Or people that value strong privacy + will tolerate using a command written
down on a piece of paper.

