But can I replace my YubiKey that holds my PGP signing and encryption keys for pass (the UNIX password manager) and signing git commits? PGP does both jobs and YubiKey keeps the key stubs and does my 2FA. Replace all that in one package and I can stop using PGP.
So I can hunt up and use a flock of utilities that don't follow any particular standard or I can just continue to use stuff based on the OpenPGP standard that all interoperates.
The point is that OpenPGP is not valuable for the boring (but solid) cryptography but the fact that it is a widely used standard.
When the Google community deprecates something as stable as PGP for reasons like "don't have common enough subset" or "can't reach the bar of safe-by-default" or "require a maintainer with deep knowledge" or "some packages are simply not used enough", be afraid. As soon as they have their moat, they will return with statements like, "you shouldn't build your own crypto library, use something stable, something tested in the wild; use our library"
Magic Wormholes looks interesting.
I assume both sender and receiver must be online simultaneously?
What if I want to send file securely and the receiver can grab it, say a week later because he's travelling on a country with no reliable internet connection?
That just how P2P systems are. Magic Wormhole works great when you also use it with a messenger. Otherwise you're gonna need to use a server that runs all the time.
12 comments
[ 2.5 ms ] story [ 50.4 ms ] threadThe point is that OpenPGP is not valuable for the boring (but solid) cryptography but the fact that it is a widely used standard.
What if I want to send file securely and the receiver can grab it, say a week later because he's travelling on a country with no reliable internet connection?
For the first the only progress I've seen is Keybase and their idea of a "social proof".
For the latter there is opmsg (https://github.com/stealth/opmsg) which uses ECDH or DH Kex for Perfect Forward Secrecy.