LWN: Comments on "Future directions for PGP"

How to automate GnuPG

ber — Tue, 09 Jan 2018 20:51:39 +0000

https://wiki.gnupg.org/APIs gives you a number of pointers how to run the GnuPG crypto backend from your application. Note that GPGME language bindings like python-gnupg have become an official part of GnuPG with 2.2, so there is much better support for them.

If there is something missing in GPGME, please let the gnupg-devs know.

Best Regards,
Bernhard
(Disclosure: I'm part of the GnuPG team.)

Progress towards more End-to-End Usability

ber — Tue, 09 Jan 2018 20:45:56 +0000

There is a perception with some people that OpenPGP, its backend and frontend applications have not seen much progress over the last years. I can understand where it comes from. However about 2-3 years ago, the group around Werner Koch (g10code) and Intevation (my company) got more funding, partly in the aftermath of the Snowden revelations and from the German Federal Agency for Information Secutiry. It allowed for getting ahead of quite a bit of backlog and to come up with larger changes, which now are pending to reach more users.

The whole idea is to design for people that do not need to think in security terms, but still get some reasonable
end-to-end security.

* The web key directory (https://wiki.gnupg.org/WKD) allows for detecting a (somewhat) valid pubkey for a given email address, it is a precondition for a nicely working automated encryption.
* GnuPG in 2.2 gained the ability to save and consider the communication history to allow assigning some basic trust levels based on it.
* There is a Free Software OpenPGP/MIME plugin for Outlook (which still is a wide spread email desktop client) gaining more communication partners.
* Some of the concepts show how a user friendly end-to-end crypto can be improved. The reasoning is published for others to build on see https://wiki.gnupg.org/EasyGpg2016/VisionAndStories and https://wiki.gnupg.org/EasyGpg2016/AutomatedEncryption

Bernhard
(Disclosure: I'm part of the team and a gnupg-verein member.)

Future directions for PGP

ber — Tue, 09 Jan 2018 20:27:24 +0000

Reading your comment I think that you want something for people who are hosting a few email addresses. I will see that I can a section about this to wiki.gnupg.org. Thanks for the link!

Note that for small organizations, there is https://wiki.gnupg.org/WKDHosting and for medium hosters https://wiki.gnupg.org/WKS and the specification rfc draft for larger hosters that may want to implement the server side for themselves.

DNS potentially loses more information, this is why we have preferred https.

Bernhard
(I'm among the people that have developed WKD.)

Keybase options

craniumslows — Sat, 06 Jan 2018 15:35:30 +0000

Apologies for the slow response. The service has you sign or encrypt the actions that you take against your profile. Things like adding a friend which I think they call following or verifying a web identity are ones that I can think of off the top of my head. You don’t have to upload a private key, but they do allow it. That’s where my concern comes in.

That said the site is superbly simple to use and with the desktop apps your key stays local and under your control. I really like it and it makes sharing your key and all your other online identities a lot easier.

Keybase options

raof — Thu, 04 Jan 2018 23:04:37 +0000

You need to upload your private key (or, equivalently, use a keypair generated by them) if you want to be able to decrypt or sign stuff on the website. If Keybase doesn't host your private key, those pages will tell you to use the keybase command line tool or gpg, which will use your local key.

Future directions for PGP

mcatanzaro — Thu, 04 Jan 2018 22:22:21 +0000

Trivia: WebKit (on Linux) uses libgcrypt to implement Web Crypto (for better or for worse) and Content Security Policy (where it's used for hashing stuff). So it's not entirely specific to GnuPG.

Usability

jcrawfordor — Thu, 04 Jan 2018 19:16:02 +0000

There's sort of a famous article in security software usability research titled "Why Johnny Can't Encrypt," on the usability challenges of PGP proper in '05.

Take a read through it some time with a modern GUI frontend for GnuPG and see what's improved... you won't find a lot. The commercial products aren't much better, most of them have improved the UI just by hiding things away until there's not a lot left you can do with them. And it'd be tempting for some Linux users to wave their hands and say something about encryption just not fitting the GUI paradigm, but I don't think even they would suggest that the gpg textmode tool has a sane UI.

Keybase options

dany — Thu, 04 Jan 2018 17:19:09 +0000

they require users to upload private keys? which features if I may ask?

Future directions for PGP

flussence — Thu, 04 Jan 2018 11:35:47 +0000

WKD is pretty awfully documented on the GnuPG site if you're a website owner wanting to make your pubkey visible. I found this howto[1] which makes it pretty straightforward. Would prefer to just use DNS records, but my DNS provider is somewhat crippled when it comes to extensions added in the past 10 years…

[1]: https://gist.github.com/kafene/0a6e259996862d35845784e6e5...

Keybase options

craniumslows — Thu, 04 Jan 2018 09:56:42 +0000

I really wish keybase didn’t implement features that require users to upload their private key. That said I like this service and use it to share my public key. It’s a neat idea.

Keybase options

dmarti — Thu, 04 Jan 2018 02:35:51 +0000

You don't need to use social networks to share your key with Keybase. You can put a file on your web site. Example, for my blog:

https://blog.zgp.org/.well-known/keybase.txt

This was easy to do. Keybase supports other fun features too, such as letting you share an encrypted directory with someone you know only by GitHub username.

Usability

ringerc — Thu, 04 Jan 2018 01:28:55 +0000

The key issue with GnuPG it its (lack of) usability.

Experienced software developers I work with often simply cannot get it right. People especially struggle with key creation / management / security / revocation.

It's also often deliberately user-hostile, e.g. in terms of how much of a nightmare it is to script and automate.

I don't see it getting far without a major rethink of how the user interacts with it.

Future directions for PGP

josh — Wed, 03 Jan 2018 22:24:39 +0000

There's another interesting trust model for GPG, as well: Web Key Directory. If you want the key for foo@example.org, you can ask example.org for it via HTTPS. See https://wiki.gnupg.org/WKD .