- "First, there's the adoption issue others talked aboutextensively. I get at most 2 encrypted emails a year."
- "Then, there's the UX problem. Easy crippling mistakes.Messy keyserver listings from years ago. "I can't read thisemail on my phone". "Or on the laptop, I left the keys Inever use on the other machine"."
- Real issues: "A long term key is as secure as the minimum commondenominator of your security practices over its lifetime. It's the weak link."
- "Never ever ever successfully used the WoT to validate a public key"
- There's no attacker for whom long term key would make sense. Common attackers cannot MitM Twitter DMs, the "Mossad will do Mossad things"...
- Values he cares about: forward secrecy, deniability, and ephemerality
But interestingly, he also says:
The point is not to avoid the gpg tool, but the PGP key management model.
This is a very subtle nuance he brings. He doesn't give up on PGP because of the strength of its crypto schemes, but because of its key management model.
