sylvi Annotations

How to write the history of a digital object?

Wednesday, June 10, 2020 - 1:07pm

N.B. I'm aware that the author's goal was very different from mine. The criticisms I will mention are more addressed to myself than to his work.

This history is an interesting one as it starts with the invention of SMTP in 1981, 10 years before PGP invention, and situates its invention with a 1991 senate Bill 266 to ease electronic surveillance. Major historical events (the release of differente versions of the program, the publication of atlernative competitor (such as S/MIME or OTR), as well as vulnerabilities (e.g. Efail) are mentioned. There are also many criticisms that are mentioned and dated back in time.

However, several elements are missing in my opinion:

  • A clear definition of what is PGP: a software program, a standard, or still something else? Or rather, a historical view of how the script of this object has changed over the year, to become several kinds of things. In this article, it is implicit that we talk about the standard, but the history of the standardiation process is missing and PGP is much more than only a standard for E2E encryption of email communcation.
  • There is also very few information about the people behind this history. Zimmermann is the only contributor to be mentionned. It is important to note the importance of other people, such as Schumacher in Norway the 90s, Koch in Germany since 1999, and others.
  • Very few institutions are mentioned. What roles have the IETF, the MIT, or other organizations/institutions (also national agencies) played in the history of PGP?
  • The types of events that are mentioned could be broadened and more detailed. Release of new versions, discoveries of vulnerabilities, change in the laws or policies, beginning of collaboration with institutions (MIT, Germany's BSI), etc.
  • The infrastructures that underline this technology are also missing in this history. What about key servers for instance? Or the very email infrastructure and its development?
  • The ideologies underlying the work around this technology are also missing: for instance, why PGP was invented at all? Is it important to know that Zimmermann was a political activist? If yes, why? What about the Web of Trust?
  • More fundamentally, I think there is too little emphasis on the mundane and almost invivible work of maintenance that punctuates all histories. Many people are working on or with the standard, with very different goals (only authentification stuff, secure email service providers, and so on. Where are these people? Why don't they have a voice in this history?
Creative Commons Licence

What are the doubts, fears, concerns, or criticisms about OpenPGP and its future?

Wednesday, June 10, 2020 - 12:08pm

The author of this article did a pretty good job of centralizing many different elements of the history of end-to-end encrypted communication system. He situates the history of PGP among a broader history of communication systems over the Internet. However, it is a biaised history, as he does not present new developments and implementations of the program (such as the Sequoia projet, the Pretty Easy Privacy project, or many email providers that have native PGP support (ProtonMail, Mailfence, etc.). The criticisms he formulates about PGP are somehow very classical: he quotes, among others, the 2004 OTR article, Green's 2013 "What's the matter with pgp?", Valsorda's 2016 "I'm giving up on PGP", and Lactora's 2019 "PGP Problem", which present well-developed criticisms about PGP. Here's are the most important ones that the article mentions:

  • No forward secrecy
  • Non-repudiation signature scheme
  • Email has no future and its underlying infrastructure is too old. We should move to secure messaging
  • Complexity of the PGP protocol
  • The GnuPG manual is too long and complex
  • Too few users

About this last point, it is interesting to note that when Efail was disclosed, in May 2018, many people, among others journalists, complained that this disclosure was putting them at risk and many voices from the infosec community criticized the disclosure process because of this. There is thus an obvious contradiction that would be interesting to dig into.

In general, the defenders' opinions do not appear in this article.

The author of this history also ignores the fact that much work is being done on the standard specification (see the openpgp-wg/rfc4880bis repository on gitlab) and many emerging projects have come into light (Sequioa, keys.openpgp.org, Pretty Easy Privacy, and so on).

Creative Commons Licence