← Back to context

Comment by roamingnomadic

7 years ago

Is this blog post satire? or an ad of sorts for some vaporware?

The talking alts either use PGP or a botnet. (signal uses PGP with a CA type of thing, so much for "stop using pgp") and whatsapp is owned by facebook.

tarsnap as I understand requires that I lock in to a service to secure my backups. F- that. Someone already talked about wormhole.

And how is essentially forking pgp with 'age' really going to solve things? Wow thanks another forked app! :^)

It would be easier to just make a wrapper for gnupg that sets the settings for everything the author is talking about. (well most of the things the user is talking about)

Wouldn't it be easier to just inform maintainers of the package to change the default standards of packages like gnupg? Has the author even attempted to change some of these things?

Don't get me wrong, I get where the author is coming from. Uinx philosophy should be followed... but certain systems can not be compartmentalized they have to unfortunately interact with other another.

If you for example encrypt data without signing it, how would you know that someone isn't trying to poison ciphertext to extract data leakage or worse yet, they already found a way to decrypt your data and manipulating sensitive data?

An encryption program by DESIGN should also have a method to sign data.

> (signal uses PGP with a CA type of thing, so much for "stop using pgp")

I legitimately have no idea what this means.

> And how is essentially forking pgp with 'age' really going to solve things? Wow thanks another forked app! :^)

A big part of the criticism we've gotten when we tell people "PGP bad" is that we're not providing alternatives. age is one of those alternatives, for one of those use cases.

> It would be easier to just make a wrapper for gnupg that sets the settings for everything the author is talking about. (well most of the things the user is talking about) > Wouldn't it be easier to just inform maintainers of the package to change the default standards of packages like gnupg? Has the author even attempted to change some of these things?

As we mentioned repeatedly in the blog post: no, the PGP format is fundamentally broken, it is not a matter of "just fixing it".

> If you for example encrypt data without signing it, how would you know that someone isn't trying to poison ciphertext to extract data leakage or worse yet, they already found a way to decrypt your data and manipulating sensitive data?

I think you're making an argument against unauthenticated encryption here. That's true! You should not have unauthenticated encryption, the way PGP makes it easy for you to have. age is not unauthenticated encryption, so the criticism does not apply.

  • Signal uses the same public key/private key cryptography. Hopefully that makes more sense?

    In any case, after reading the google doc more carefully, I see the idea isn't to be against the whole pub/private key authentication its just a proposal of how pgp works.

    >age is not unauthenticated encryption, so the criticism does not apply.

    yeah, I see. its pretty good actually.

    • Signal does not use "the same public key/private key cryptography", nor does it use a CA, or anything like a CA.

    • Double ratchet using Curve25519 and Ed25519 signatures is not at all the same asymmetric cryptography as PGP.