top | item 38556774

(no title)

sleepless | 2 years ago

Nice writeup.

It is a serious problem that the ecosystem is held back by wasting resources on personal disputes with immediate consequences for end users.

Hate on OpenPGP all you want, it still is an important technology with unrealized potential and growth.

discuss

femiagbabiaka|2 years ago

It’s not actually clear from reading through this document or others, or the linked email threads, etc. that there is a personal dispute at play, or what that might be. I’m also not sure who the target of this document is, or who wrote it. It’s also not clear what the forcing function behind the strong recommendations at the end is — will the author fork GnuPG in the event a resolution can’t be reached?

freedomben|2 years ago

It doesn't sound like a personal dispute to me, it sounds technical. One camp (Open) wants to move faster and break backward compatibility, the other (Libre) wants to move slower and maintain backwards compatibility

throw0101b|2 years ago

> One camp (Open) wants to move faster and break backward compatibility, the other (Libre) wants to move slower and maintain backwards compatibility

There is no breaking of backward compatibility. The crypto-refresh draft and the LibrePGP draft are equally backward-compatible.

See 'A Critique on “A Critique on the OpenPGP Updates”':

* https://blog.pgpkeys.eu/critique-critique

Both groups would create a new format (Libre = v5; crypto-refresh = v6). v4-only wouldn't be able to handle either new format, and newer software could presumably be told to create files in the older format.

The Proton folks are choosing to support both v5 and v6:

* https://github.com/ProtonMail/go-crypto/pull/182

As is the Thunderbird/RNP team:

* https://github.com/rnpgp/rnp/commit/fdfc1f5bb11d439e35f3c855...

daveguy|2 years ago

It seems like maintaining backwards compatibility would be important for something that otherwise irreversibly encrypts your data.

nvy|2 years ago

I think the common refrain against PGP is that it shouldn't be important, because it suffers from a myriad of technical and sociological shortcomings.

The whole situation regarding key servers, key rotation, and the web of trust is a complete dumpster fire.

0xDEAFBEAD|2 years ago

>The whole situation regarding key servers, key rotation, and the web of trust is a complete dumpster fire.

Can you explain why?

People elsewhere in this thread are saying that PGP sucks because it tries to do too many things at once, but it seems to me that the one big advantage of a tool which does everything at once is that you only need to solve authenticity one time for everything you do.

For example, if I'm communicating with an open source dev, having their known-authentic PGP key allows me to simultaneously verify the authenticity of their software updates, verify the authenticity of the email they send me, and encrypt my emails to them. Is there anything outside of PGP that accomplishes this?