The #39C3 “To sign or not to sign” (https://gpg.fail) talk is excellent. 👏
IMHO: Avoid PGP altogether, especially #GnuPG. Avoid memory unsafe programming languages, wherever feasible.
It is mind boggling, that the gpg team / g10 Code GmbH refuses to fix all vulnerabilities, given that their @bsi certification and thus their business model being at risk.
Also goes to show, that BSI certifications are worthless. Quel surprise?
GnuPG having opinions on #Rust: https://www.gnupg.org/blog/20250117-aheinecke-on-sequoia.html
> In my view, GnuPG and OpenPGP are extremely mature and basically done.
> After collectively quitting their jobs at g10 Code […] former employees […] began inventing new problems and features to justify competition [by creating sequoia]
> *But we don't want to change*
> At GnuPG, we understood that unnecessary changes to a secure system pose risks that in our case nearly always outweigh the benefits.
Hey, GnuPG: You’re wrong! Grow tf up!
@fluepke Not going to happen. If you want to see more instances of GnuPG trying hard to be on the wrong side of history, look up the OpenPGP vs LibrePGP shitshow.
At least this helps make PGP less relevant, which is good.
@neverpanic I do honestly think, PGP in general and GnuPG in particular are dead by now. They’ve made mistakes, which is fine and may happen, but they had sufficient time to fix, yet didn’t. There isn’t anything to discuss about the vulns. There’s no room for “you’re holding it wrong”. Anything else than a patch is a: Please avoid our software!
OpenPGP RFC standardization is also a mess with GnuPG refusing to adopt improvements.
@crystalmoon @neverpanic it depends™ on the use case.
Email is fundamentally broken, because it requires third-party software for security. Signal messenger seems wide spread.
@bohwaz For mail, you still need to make it easy to use, widely deployed (everybody has email, approximately nobody has encryption software), and solve the key exchange problem somehow (Autocrypt is a start, but deployment is marginal at best). A solution with all three of those doesn't exist at the moment, Signal exists. While somebody sits down and solves these for email, using Signal may just be the next best alternative.
@bohwaz @crystalmoon @neverpanic email stopped working, when Microsoft and t-online entered the game.
Hosting your own mail server is hard and we shouldn’t expect anyone to host their own server.
The standard solution for mail encryption is S/MIME. PGP standardization is broken.
@crystalmoon @bohwaz @neverpanic you can use self-signed certificates.
Or just move on to Signal and use something that’s compatible with non IT experts.
@fluepke there are unfortunately no good alternatives for signatures over software in the OSS space at the moment. Sigstore might be, but has some limitations and some way to go. OpenBSD's signify is neat, but too simple (no PQC, no FIPS option).
For encryption, the sooner people stop using PGP, the better.
Flüpke
Clemens
the tower fairy
BohwaZ