Comment by giomasce
7 years ago
As usual, all articles of this OpenPGP-is-bad kind keep failing acknowledging OpenPGP's most important feature: it has a way (clumsy as much as you wish, but existing) to attach identities to keys, and to verify them. I have a rather well connected OpenPGP key, and that means that anyone can verify the signed emails claiming to be from me are actually from me, even if we never met. Of course you can mention XKCD and people saying they will never check a signature, but that's their problem, not mine. If do not bother to check your keys, any encrypting/signing system is untrustworthy. If you have a lot of keys, each for any of your crypto applications, and no way to cryptographically tie them to an identity, you will eventually mess them up, especially if they have to be deployed on more than one machine.
I am perfectly fine with saying that GnuPG uses old algorithms, or that different applications should use different keys, algorithms or techniques. But, please, when designing such systems keep in mind that you want to check where your keys come from and which identity they are attached to. And TTBOMK only OpenPGP is currently able to do that. To me it would be great if all crypto applications done in the right way would have a way to tie their keys to the OpenPGP web of trust, in the same way Monkeysphere tried to do for SSL and SSH keys.
No comments yet
Contribute on Hacker News ↗