How is PGP defined?


Enter a comma separated list of user names.
July 1, 2020

There are two interesting quotes regarding the question. First, at the very beginning of the article, the author affirm:

"PGP" can mean a bunch of things, from the OpenPGP standard to its
reference implementation in GnuPG. We use the term "PGP" to cover all of
these things.

Second, in the section "Incoherent Identity", they specify what they mean:

PGP is an application. It's a set of integrations with other applications. It's a le format. It's also a social network, and a subculture

PGP pushes notion of a cryptographic identity. You generate a key, save it in your keyring, print its ngerprint on your business card, and publish it to a keyserver. You sign other people's keys. They in turn may or may not rely on your signatures to verify other keys. Some people go out of their way to meet other PGP users in person to exchange keys and more securely attach themselves to this "web of trust". Other people organize "key signing parties". The image you're conjuring in your head of that accurately explains how hard it is to PGP's devotees to switch to newer stuff.

None of this identity goop works. Not the key signing web of trust, not the keyservers, not the parties. Ordinary people will trust anything that looks like a PGP key no matter where it came from – how could they not, when even an expert would have a hard time articulating how to evaluate a key? Experts don't trust keys they haven't exchanged personally. Everyone else relies on centralized authorities to distribute keys. PGP's key distribution mechanisms are theater.

Let's analyze the issue. Ordinary, it is true that we speak indistinguishably about "PGP" as a standard and an application. But we shouldn't. Pretty Good Privacy (PGP) is an application designed in the late 80s and early 90s by Phil Zimmermann, and published in 1991. OpenPGP is an open standard (RFC4880). GnuPG is one of several implementations of OpenPGP. Okay... this lack of precision of ordinary language may matter for some people.

But this quote addresses a more fondamental issue: "PGP" is linked to a whole "crypto-imaginary" including web of trust, key-signing parties and cryptoparties. It might be that for some people (is there such things as a "community"?), "PGP" has a much broader meaning than just a way to encrypt things. This is a methodological challenge of this research: understanding the various "scripts" of a blurred object (or should I say "actant"?), understanding the connections between all these people and objects, understanding the different and competing definition of "PGP".