GPG sadly never grew up. It's a program firmly stuck in the 90s.
The original PGP manual talked about secretly communicating with your lover. That was the usage model, transmitting secret messages to people you could sometimes meet in person, and where the model was you talking to people you directly know.
Try to verify the GPG signature on say, the Tor Browser. It's signed by "Tor Browser Developers (signing key)". Have you ever met this "Tor Browser Developers" person?
Okay, what about the web of trust? Well, GPG offers no help whatsoever in finding a way of making a connection.
And that's why it's dying, because the model it targets ceased to be relevant, and we developed plenty new needs like verifying software signed by random people on the other side of the globe, while GPG did nothing to accommodate that use.
It's very unfortunate PGP/GPG hasn't kept up with the times. Today it has two significant issues:
1. The needed trust model has changed significantly.
2. It's not reusable enough.
1. The original PGP mostly dealt with direct person-to-person relationships. Alice and Bob needed to safely communicate. Perhaps Bob could vouch for Carol. But that was the intended model: closely related groups, with maybe a person trusted to act as an introducer. Today our needs are different, and we need to securely communicate with people we never met, or to verify their signatures. Any Linux system contains thousands of packages, which were worked on by many thousands of developers, one may need to communicate with securely at some point. Eg, I want to verify the GPG signature on the Tor browser, but I never met anyone on the team, and how do I know who knows the team?
My personal network actually extends very far. I did the FOSDEM key signing party several times, so my theoretical reach is enormous. But it can only be achived by hacking around GPG's trust model. I need to figure out by hand a path between me and Tor, download the keys, and manually tell GPG I trust each key's signature. This isn't convenient, user friendly, not as safe as it could be.
2. GPG is unfortunately stuck in the "Unix Philosophy" era, where you're supposed to just invoke the binary and parse its text output. I believe this crippled GPG's adoption, because it's slow. GPG has to do the whole startup, reading its key databases and so on every single time. Back when GPG support was introduced into KMail many years ago this added a very noticeable delay to viewing any signed message.
And it's sadly still the case. The world badly needs a GPG library, that allows one to skip those startup costs, and to avoid the whole intended model of ~/.gnupg and just let a program do things like interpret in-memory data for any conceivable purpose. This is still badly lacking.
GPG is an immense failure from the point of protecting person to person communications.
It is largely a success in verifying the identities of the software developers. The entire Debian ecosystem relies on GPG in largely successful ways.
Peter Todd suggests that PGP drop encrypted communications as a goal and focus only on identity and authentication. It appears the PGP just can't be bootstrapped into modernity from a communication point of view. The only major innovation in authentication and identity has been threshold signatures which GPG could support.
Hell, even amongst my peers, I'm continually shocked at how many people have never used gpg, ever. And, anecdotally, the number gets lower as age gets lower. Young people aren't using it. It's dying.
a lots of folks i know use gpg, especially in the political context it is widely used. so it is not "dead", maybe you just dont know people that actually care.
Pffft, GPG doesn't work if you want to communicate with other people. It's very difficult to get people to use it, and the UX is horrible for it. On top of that it's even harder to use on mobile platforms. GPG also doesn't have forward secrecy.
PGP is an unfortunate obsolete technology, which sadly failed to evolve with the times.
I think the main thing that crippled PGP is tooling. What we have available is GnuPG, and GnuPG is horrible for every use case but what it was made for: A command-line interactive application, made for a single person's personal usage.
GnuPG insists on a model where it manages everything: key parsing, a key database, and the entire signing/verification process. There's no proper libgnupg either, what gpgme does is calling gpg, and presenting a library interface.
The problem with this is that GnuPG is very unfriendly towards attempts to build something new from the pieces. It really wants to be a commandline application that deals with a single person's encryption/decryption activities. So if you want to say, run statistics on PGP keys, or write a keyserver, or use it to implement signatures for packages, either you do it the GnuPG way, or you very laboriously trick it into doing what you need, or you write your own crypto code.
Option 1 isn't great if you want anything weird like statistics gathering.
Option 2 is just awkward and messy. Both 1 and 2 quickly run into limits. GPG for instance doesn't like trying to work with a database of a million keys. It has heavy startup costs. It's made for humans, not for any kind of heavy lifting.
Option 3 sucks because OpenPGP is extremely complex, and writing crypto code is very ill advised for most people.
And I think that's kinda what crippled the ecosystem. Doing anything but what gnupg wants to do has extreme startup costs, so few people ever try, and most people do it badly.
Doing what the author did here involves really going out of your way -- in a better world we'd have simple to use tooling to do this work, and PyPI would just do validation and reject bad stuff, but doing so is extremely non-trivial in PGP.
Do you mean PGP/GPG the program(s)? PGP/GPG the file format (RFC 4880)? Or PGP/GPG's "web of trust" key distribution scheme (which may or may not include public keyservers)?
Regarding the three complaints:
1. If you hate GnuPG the program, there are several other implementations which are less "clunky." Have you tried them? Do they also need to die?
2. RFC 4880 was published in 2007. The state of the art of cryptography has advanced since then, much as the state of the art of email has advanced since RFC 822 was published in 1982. And just as RFC 822 has been updated over the years, there's an in-progress effort to update RFC 4880: https://datatracker.ietf.org/wg/openpgp/about/ Are you also calling for that working group to "die"?
3. Some poor implementation choices for the public keyservers made them unusable for a time. There's definitely room for something better—Keybase was great but understandably wasn't sustainable as a VC-funded company. I hardly think we need to throw GnuPG and RFC 4880 away because of particular keyserver implementation details. Nor do I think the keyserver failures mean the entire idea of "web of trust" is doomed.
IMO, most of the calls I've heard for PGP to "die" have conflated these issues, and proposed partial solutions which solve e.g. confusing gpg command-line flags, but don't address e.g. key distribution at all. It feels like when people say, "Gmail sucks, therefore email needs to die."
It's considered obsolete by the mainstream security community. Their prior recommendations often got hacked a lot, too. There's a niche group that promotes stuff that is stronger even if there's drawbacks to using it. We also let people decide if they accept those drawbacks. I'm in that crowd.
I noted that the Snowden leaks said the NSA of all groups hated GPG since it blacked out their collection efforts. They had to send their limited team of hackers to deal with people doing that hitting other parts of their systems. If NSA isn't regularly breaking it, then it should be strong enough to stop all the threats likely to bother me. I push it plus a limited set of commands that make it easy, but annoying, to use. Instead of email, I just tell people to encrypt/sign text and zip files with boring names. That lets us dodge vulnerabilities that come from metadata, email interactions, and so on. Then, send them via whatever mechanism ranging from convenience to full anonymity.
Truth is I rarely use it because other people rarely communicate to me encrypted or request it. They usually send stuff to my Gmail account in plaintext or HTML. It's there if I need something stronger. It's a pain in the butt. I at least know it has a stronger baseline than most tools which are unknowns to me that I assume will get hacked until seeing evidence otherwise.
A lot of the comments I've been getting are in the genre of "well... but GPG works."
Yes, GPG is a powerful tool that makes some encrypted communication possible. But is it really "working" if it's the tool we've had for the past 20 years, and we still ended up in a world where surveillance is so ubiquitous and privacy is so rare? Having used GPG, it seems more likely to me that there are only ~50k GPG users in the world because of the product, not because of weak desire or need for private communication.
I'm not suggesting that there's anything "better," but that it's really sad there isn't. GPG isn't ever going to be anything other than what it is now, and I don't think that's the future we want for ourselves.
We could try to slap a GUI on top of it, but I don't believe great products are made that way. Good UX requires thinking about interactions all the way down to the protocol. The good news is that GPG has such a small legacy install base (literally on the order of ~50k users), that there's no reason to maintain compatibility with OpenPGP. When building new products, we can start fresh with modern cryptography, a modern protocol, and a modern design philosophy.
Well, I always ignore the more grandiose claims - since there is currently no alternative for GPG, and installing Electron apps for Signal or Wire (which then use a single centralized server) really isn’t a viable GPG alternative
But even if you don’t agree with the argument that federation is dead and we truly need Electron apps (with eternally outdated Chrome instances) for secure communication, still you have to admit that PGP is arcane, the cryptography is not modern, and people by and large are ignoring the “web of trust” system. PGP needs a dramatic overhaul, at the end it won’t really be PGP.
(I am not sure if there isn’t a double ratchet system working in federated way. Jabber with OMEMO/OTRv3? Matrix? I don’t know)
Is anyone else kinda hoping that GPG/PGP loses enough respect in the tech community that something fresh comes along that really solves a lot of the UX and security issues they have? (Acquiring keys, rotating keys, identifying compromised keys, and most importantly either reaches a large enough percentage of emails sent that usage of it is not in itself an immediate flag to monitor or can be implemented as a side channel not directly including the signature in the email payload itself.)
GPG is fine if properly configured and very carefully used.
The current defaults GPG presents aren't that safe anymore and everyone who wants to develop integration with GPG suffers extreme pain because for GPG therer is only the CLI Interface.
Modern E2EE-capable chat solutions are a good replacement, which are cryptographically stronger and don't have the same chances of blowing up as GPG does.
I don't think it's that much of a conspiracy there is a bit of time between those events, it's simply that in the latest years, people are advocating for security tools that prefer being resistant to misuse (GPG isn't) and safe by default (GPG isn't) over other tools.
Not a single member of my friends or family is going to use GPG encryption, not even my mother who loves me dearly. I had a computer geek "penpal" for a while and we did monthly emails to each once a month to catch up via gpg, and even that died off lol
PGP as an ecosystem has always suffered from toolbox-itis: when a tool (especially a cryptographic tool) tries to be everything, it ends up doing nothing particularly well. This got ossified in the form of OpenPGP, and has basically remained the status quo for the last ~25 years.
More generally, the OpenPGP world is in a bit of a double-bind: they can either fix things by breaking compatibility (at which point someone can reasonably observe that there's no good reason not to ditch OpenPGP entirely), or retain compatibility and accept that OpenPGP will never get much better than RFC 4880 and whatever smattering of drafts the GnuPG maintainers agree to implement. One way essentially results in an entirely different tool/standard that happens to be wearing PGP's skin; the other means keeping around misuse-prone and outright broken cryptographic primitives (and bad formats to boot).
(To answer your actual question: email is just a bad substrate for attempting E2EE messaging. Latacora has a great explainer post on why[1]. TOFU is a mostly adjacent concern; trust/identity negotiation is hard, but the thing that makes WhatsApp, Signal, etc. actually work is that they eliminate manual key management and make cryptographic right choices for the user, rather than expecting the user to hold the tool correctly. In other words: they're misuse-resistant, where PGP as an ecosystem has historically not been.)
The original PGP manual talked about secretly communicating with your lover. That was the usage model, transmitting secret messages to people you could sometimes meet in person, and where the model was you talking to people you directly know.
Try to verify the GPG signature on say, the Tor Browser. It's signed by "Tor Browser Developers (signing key)". Have you ever met this "Tor Browser Developers" person?
Okay, what about the web of trust? Well, GPG offers no help whatsoever in finding a way of making a connection.
And that's why it's dying, because the model it targets ceased to be relevant, and we developed plenty new needs like verifying software signed by random people on the other side of the globe, while GPG did nothing to accommodate that use.
reply