GPG

PGP (Pretty Good Privacy) and GPG (GNU Privacy Guard) are suites of tools ment to aid in encryption, decryption, signing, verification etc. PGP is propetrietary (Semantec) and GPG is open source. In essence the two are identical.

Moving around the internet one occasionally stumbles upon people’s PGP/GPG signatures and keys. These they share so that one might communicate privately with them online.

This seems nice enough but the entire format/protocol/suite has had and continues to have great problems and weaknesses and cannot be said to work as intended.

Sadly I do not have enough knowledge about crypto to be able to argue/reason about this on a first principle basis. I do however understand a lot of the arguments and certainly get the gist.

The following piece, The PGP Problem | Latacora, argues that the suite is complicated and confused; legacy support and backwards compatability has been prioritised over clarity and progress. It is bloated and does too many things and the address book/“web of trust” functionality creates overhead and even more bloat.

When I myself tried the system some years ago the setup made me feel like the keys were holy and meant to last a lifteime. Private keys are obviously very private and should remain secret, but the notion of such a long-lived key feels wrong; too many eggs in a basket, too much work to flip keys:

you can have backwards compatibility with the 1990s or you can have sound cryptography; you can’t have both.

In place of GPG it is suggested to use

• tarsnap for backups
• signify for signing (an OpenBSD tool) Tarsnap - Online backups for the truly paranoid
• age for encrypting one-off files