7 comments

[ 2.5 ms ] story [ 21.4 ms ] thread
The UI is too complex, and the security of the ring of trust relies on the key signing. It would suffer poor key signing habits that no noobs understand.

Plus for key signing, I need to show my papers... What if my interlocutor is an infiltrated whatever? I just blew away my identity. Else, my key worths nothing.

Plus like decentralized certificate system it is vulnerable to a majority attack. Sometimes a local majority in time or space is sufficient.

It requires too much knowledge to be applied correctly.

Service Secret loves to know a secret is exchange and GPG is like telling "hé Deep Packet Inspection terrorist one with well known address1 is talking to well known terrorist2 with address2 and key2"

Secret services do not really care about the secret ... They care about sociograms

Well the only good use I see for GPG mail is to make the content of a mail as valid as a formal contract between two parties.

Heh, no. GPG mitigates a wide spectrum of threats. Not all threats. It's part of an over-all strategy of risk management. Your thinking of "it's a silver bullet that fails completely" is as lulzy as the people who think "it's a silver bullet that works perfectly."

Think probabilistically, not black-and-white binary logic.

Probability:

- I experienced lots of gifted geeks doing stupid things with key signing party (like creating fake ID for their cats); - I experienced IT specialist from the security unable to use GPG with their mailbox to send their forms to RIPE so we used clear text passwords in mail (yes they were of course security experts); - I know for real secret services care more about who talks to whom secretly than what is the secret. And using GPG/PGP is like a smoking gun.

I did too lost all my floppy disk with my revocation key.

I do use my PGP key to sign my python packages. But this UI/UX is hellish.

So yes, GPG sux and is unusable by mere mortals, and even me who advocated for it in the late 90's think that I will not let anyone try to drag any relatives of mine close to this hell, because I would have to do the support, and this product sux big balls.

This sounds like a deeply emotional issue for you. Do keep in mind that other people have a wildly different history with GPG than yours.
I've been hacking on several side projects with GPG and OpenPGP for the past few months[1][2][3], and I've come away from it fully convinced that the lack of interest in PGP is because people don't want to unofficially extend the format. The the fundamental format and specification are really extensible and could be used as the base for most crypto apps, including Keybase/OTR/TextSecure apps. However, for some reason, people are scared to unofficially extend the OpenPGP format specification to add the features they need. Maybe it's that they don't want to extend the format, maybe it's that there's no good tools to actually do that (there really aren't).

For example, there is a "User Attribute" packet you can add to a PGP public key that can contain arbitrary data. The only official format for this packet is a jpeg image, but you can specify up to 99 more types of "attributes" on your own, and parsers that don't understand them will just ignore them. So Keybase could have extended this packet for its online identity validations, but instead it created it's own centralized PKI, signature format, and command line tool. One of my next side projects is going to be trying to add my Keybase signatures for my github to my PGP public key.

Also, there's no reason why the format can't be extended to allow for Forward Secrecy. You could very easily use OpenPGP as the base format for OTR and Axolotl. One of my next side projects is going to be implementing the same OTR and Axolotl flow using OpenPGP as the base format. That way, you could use the public keyservers to start end-to-end encrypted chat sessions (AND utilize the web of trust in the process).

I love Keybase and TextSecure just as much as the next person, but it really sucks that we're having to rely on so few people to maintain the infrastructure, protocols, and formats for the next generation of crypto apps.

[1]: https://github.com/diafygi/publickeyjs

[2]: https://github.com/diafygi/openpgp-python

[3]: https://github.com/diafygi/keyserver-elasticsearch