What are the doubts, fears, concerns, or criticisms about OpenPGP and its future?


Enter a comma separated list of user names.
July 1, 2020

The aim of this article is very clear right from the start: to convince the readers not to use PGP. To do so, the authors enumerate a long list of criticisms that are not new. Reading this offers a argumentative recap of established criticisms of PGP. In this article, PGP refers both to the IETF standard and its implementations (although the authors only mention GnuPG). I just quote some points the authors address, without making a stand (not my role):

  • "Designed in the 1990s": "No competent crypto engineer would design a system that looked like PGP today, nor tolerate most of its defects in any other design."
  • "Absurd complexity"
  • "Swiss Army Knife Design": basically, you can do many things, but none of these things work well.
  • "Mired In Backwards Compatibility": PGP still support obsolete functions and algorithms.
  • "Obnoxious UX": the usability is very poor.
  • "Long-Term Secrets"
  • "Broken Authentication" (since the 2000s)
  • "Incoherent Identity": "PGP is an application. It's a set of integrations with other applications. It's a file format. It's also a social network, and a subculture." They also criticize the web of trust and key distribution mechanisms.
  • "Leaks Metadata"
  • "No Forward Secrecy"
  • "Clumsy Keys" (because of the many possibilities)
  • "Negotiation": "If we've learned 3 important things about cryptography design in the last 20 years, at least 2 of them are that negotiation and compatibility are evil."
  • "Janky Code": harsch criticisms towards GnuPG, the "de facto implementation of PGP". Many CVEs, bugs and so on.

Some of these points are really not new. Long-term secrets and forward secrecy were for instance addressed in 2004 in a publication that present OTR as a counterpoint of PGP. In addition, Matthew Green and Moxie Marlinspike also mentionned similar criticisms about forward secrecy, and most importantly complexity in respectively 2013 and 2015. Common controversies about one of theses issues (especially about difficulties to correctly use GnuPG and to choose the right algorithms among different communities like the GnuPG-users mailing list).

June 10, 2020
  • "First, there's the adoption issue others talked aboutextensively. I get at most 2 encrypted emails a year."
  • "Then, there's the UX problem. Easy crippling mistakes.Messy keyserver listings from years ago. "I can't read thisemail on my phone". "Or on the laptop, I left the keys Inever use on the other machine"."
  • Real issues: "A long term key is as secure as the minimum commondenominator of your security practices over its lifetime. It's the weak link."
  • "Never ever ever successfully used the WoT to validate a public key"
  • There's no attacker for whom long term key would make sense. Common attackers cannot MitM Twitter DMs, the "Mossad will do Mossad things"...
  • Values he cares about: forward secrecy, deniability, and ephemerality

But interestingly, he also says:

The point is not to avoid the gpg tool, but the PGP key management model.

This is a very subtle nuance he brings. He doesn't give up on PGP because of the strength of its crypto schemes, but because of its key management model.

June 10, 2020

The author of this article did a pretty good job of centralizing many different elements of the history of end-to-end encrypted communication system. He situates the history of PGP among a broader history of communication systems over the Internet. However, it is a biaised history, as he does not present new developments and implementations of the program (such as the Sequoia projet, the Pretty Easy Privacy project, or many email providers that have native PGP support (ProtonMail, Mailfence, etc.). The criticisms he formulates about PGP are somehow very classical: he quotes, among others, the 2004 OTR article, Green's 2013 "What's the matter with pgp?", Valsorda's 2016 "I'm giving up on PGP", and Lactora's 2019 "PGP Problem", which present well-developed criticisms about PGP. Here's are the most important ones that the article mentions:

  • No forward secrecy
  • Non-repudiation signature scheme
  • Email has no future and its underlying infrastructure is too old. We should move to secure messaging
  • Complexity of the PGP protocol
  • The GnuPG manual is too long and complex
  • Too few users

About this last point, it is interesting to note that when Efail was disclosed, in May 2018, many people, among others journalists, complained that this disclosure was putting them at risk and many voices from the infosec community criticized the disclosure process because of this. There is thus an obvious contradiction that would be interesting to dig into.

In general, the defenders' opinions do not appear in this article.

The author of this history also ignores the fact that much work is being done on the standard specification (see the openpgp-wg/rfc4880bis repository on gitlab) and many emerging projects have come into light (Sequioa, keys.openpgp.org, Pretty Easy Privacy, and so on).