The tech is old and out of sync with modern cryptographic principles. It supports a bunch of obsolete algorithms for backwards compatibility, some of which are badly broken. It has a complicated packet format that's hard to parse and itself has security issues. It encourages bad practices like keeping ancient keys around because they have signatures on them.
It's also highly hostile to using it in any way but how it was designed. For ages, there was no library to parse OpenPGP packets. You had to run gpg itself, maybe give it a fake home directory, feed it whatever you need, parse the output... it's an enormous amount of pain even for simple things, and it's all terribly slow.
And it badly damaged the ecosystem, because either you spend lots and lots of time on reimplementing lots of crypto (which tends to be a bad idea), or you try to trick GPG into doing what you need and end up with a system that's dreadfully slow and painful to use.
The problems you speak of are probably due to this. There wasn't an usable base to build services on until very recently, when GPG was already effectively dead.
Being uncharitable with security critical software is the right attitude to have.
> GPG works.
Yeah, not quite. I've used it extensively. I've got an excellently well connected key. I've tried writing software that uses gpg. I've reached the conclusion that it's a lost cause.
> If you don't like it, invent something better.
People have. Things like the Signal protocol for instance.
The tech is old and out of sync with modern cryptographic principles. It supports a bunch of obsolete algorithms for backwards compatibility, some of which are badly broken. It has a complicated packet format that's hard to parse and itself has security issues. It encourages bad practices like keeping ancient keys around because they have signatures on them.
It's also highly hostile to using it in any way but how it was designed. For ages, there was no library to parse OpenPGP packets. You had to run gpg itself, maybe give it a fake home directory, feed it whatever you need, parse the output... it's an enormous amount of pain even for simple things, and it's all terribly slow.
And it badly damaged the ecosystem, because either you spend lots and lots of time on reimplementing lots of crypto (which tends to be a bad idea), or you try to trick GPG into doing what you need and end up with a system that's dreadfully slow and painful to use.
The problems you speak of are probably due to this. There wasn't an usable base to build services on until very recently, when GPG was already effectively dead.