Hello everyone,
I have a question about the general state of the PGP ecosystem, and Sequoia's role in it, and I hope
this is the right place to ask. If not, apologies, and kindly direct me somewhere more fitting.
I had been an avid user and advocate of PGP until some time in 2018/2018, when first Efail surfaced
(with its infamous "Don't use HTML mails" workaround [1]), and then the keyserver attacks followed.
[2] In summer 2019, Latacora's "The PGP Problem" was published [3], spurring a considerable level of
agreement within the community [4], and even from GnuPG development [5]. Researching these, I
stumbled across even earlier PGP rejections, such as by Matthew Green in 2014 [6] and by Filipo
Valsorda in 2016 [7]. And then there is secushare's "15 reasons not to start using PGP" [8].
I know that some of the criticism is about PGP as a technology, and quite a few are about the GnuPG
implementation. Nonetheless, I subsequently made a hard cut, abandoned PGP-encrypted email
altogether, moved sensitive communication to Signal, and tried to bring the matter to the attention
of colleagues, friends and family, with varying degrees of success. Then, for some years, I ignored
everything around PGP, and basically waited for it to die.
Not it's 2024, people still encrypt email using PGP, Thunderbird incorporated PGP in 2020, Sequoia
goes in its 7th year with increasing adoption, and I, after a long break, am trying to find out what
is actually going on.
My question: Is PGP, as a technology, merely on life support, and should still be generally avoided
– or has it, given younger implementations such as Sequoia, become viable again as a future-proof
foundation for communication, authentication etc.?
Back in the day, I was especially worried about the lack of forward secrecy, keys as long term
secrets and impractical identity tokens, the public WoT, and the overall complexity of the system
design.
That of course is a broad and somewhat audacious question. I am merely looking looking for an
overview of the state of affairs from a Sequoia perspective, or respective pointers/links, since
even Wikipedia just seems to sum up the status quo as "PGP and OpenPGP have been criticized". [9]
[1] https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
[2] https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
[3] https://www.latacora.com/blog/2019/07/16/the-pgp-problem/
[4] https://news.ycombinator.com/item?id=20455780
[5] https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062384.html
[6] https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/
[7] https://words.filippo.io/giving-up-on-long-term-pgp/
[8] https://secushare.org/PGP
[9] https://en.wikipedia.org/w/index.php?title=Pretty_Good_Privacy&oldid=120864…
Thanks for your patience and effort,
Florian
