Hello everyone,
I have a question about the general state of the PGP ecosystem, and Sequoia's role in it, and I hope this is the right place to ask. If not, apologies, and kindly direct me somewhere more fitting.
I had been an avid user and advocate of PGP until some time in 2018/2018, when first Efail surfaced (with its infamous "Don't use HTML mails" workaround [1]), and then the keyserver attacks followed. [2] In summer 2019, Latacora's "The PGP Problem" was published [3], spurring a considerable level of agreement within the community [4], and even from GnuPG development [5]. Researching these, I stumbled across even earlier PGP rejections, such as by Matthew Green in 2014 [6] and by Filipo Valsorda in 2016 [7]. And then there is secushare's "15 reasons not to start using PGP" [8].
I know that some of the criticism is about PGP as a technology, and quite a few are about the GnuPG implementation. Nonetheless, I subsequently made a hard cut, abandoned PGP-encrypted email altogether, moved sensitive communication to Signal, and tried to bring the matter to the attention of colleagues, friends and family, with varying degrees of success. Then, for some years, I ignored everything around PGP, and basically waited for it to die.
Not it's 2024, people still encrypt email using PGP, Thunderbird incorporated PGP in 2020, Sequoia goes in its 7th year with increasing adoption, and I, after a long break, am trying to find out what is actually going on.
My question: Is PGP, as a technology, merely on life support, and should still be generally avoided – or has it, given younger implementations such as Sequoia, become viable again as a future-proof foundation for communication, authentication etc.?
Back in the day, I was especially worried about the lack of forward secrecy, keys as long term secrets and impractical identity tokens, the public WoT, and the overall complexity of the system design.
That of course is a broad and somewhat audacious question. I am merely looking looking for an overview of the state of affairs from a Sequoia perspective, or respective pointers/links, since even Wikipedia just seems to sum up the status quo as "PGP and OpenPGP have been criticized". [9]
[1] https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html [2] https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f [3] https://www.latacora.com/blog/2019/07/16/the-pgp-problem/ [4] https://news.ycombinator.com/item?id=20455780 [5] https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062384.html [6] https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/ [7] https://words.filippo.io/giving-up-on-long-term-pgp/ [8] https://secushare.org/PGP [9] https://en.wikipedia.org/w/index.php?title=Pretty_Good_Privacy&oldid=120...
Thanks for your patience and effort,
Florian