PGP needs to be retired in honor (ctrlc.hu)
>"Consider your average investigative journalist or whistleblower, with windows or a mac, that they haven't updated because then their kids favorite game doesn't run anymore or they simply don't want windows 10. .... This makes forward secrecy a mandatory requirement, as this implies that the malware has to be constantly active and thus also enhances chances of detection and mitigation."

This is a bit of a straw-man argument. Forward secrecy or not, if you can get root on the client device, you own everything. So if you are a journalist/whistleblower, and have invested the effort to learn PGP, you should use Tails or something more appropriate for your job than windows or a mac.

So for those us that need to run Windows/OSX to run software, like Photoshop, for our job, we should just give up on PGP? Seems like a supporting argument for the article then.

I think the title is a little inflammatory. The conclusion does not say we should stop using PGP but consider the weakness inherent in its operating model and assumptions when evaluating future replacement. I think it is fair to say that the world is still waiting for said replacement, and until that arrives, PGP still has a number of valuable properties, one of which being it exists.

the listed examples all exist. signal is already more widely used than pgp ever was in the last 25 years.

Have you not written:

"I also do not recommend using a centralized service that keeps your keys on a smartphone. However I warmly recommend using the Signal Protocol whenever messaging is to be done. Signal can be a direct replacement for PGP someone just has to code up the whole thing (time to flesh out signal-cli)."

Can be, someone just.

Perhaps I'm just out of touch, but I'm not familiar with any of the alternative tools they mentioned. If we retire PGP (and its GNU clone), what widely available tool should we use in its stead?

Quite a few listed here - https://alternativeto.net/software/gnupg/

Signal? Some paid services seem to be blossoming, see https://protonmail.com

opmsg does masquerade as gnupg on the cli, if you take this further you could create a gnupg chameleon which detects what keys are available or what the input is based on auxillary info and then invoke the appropriate tool (which might be gnupg, or something else).

on a different note: gnupg is not widely used, signal is.

Signal is for text messaging and fails as an email replacement. It also does not work for signing code and it requires you give over your contacts list to a third party to work.

Signal is not fit for PGP's use case.

My biggest point of contention with this is... what should replace it? PGP is the current and retroactive psuedo-standard for verification for everything from email to code to builds.

Any replacement would have to be at least semi-compatible, so as not to break the (likely) hundreds of solutions relying on and expecting PGP.

