The OpenPGP format was designed in the 90' and never really changed since then. It was documented in RFC4880 in 2008. Unfortunately, in the 90', people had really no good understanding of crypto yet, and the choices made were poor. Envelope design is poor. Some crypto algorithms are clearly outdated. Some default options are plain wrong.
Have you ever noticed that so many crypto attacks target OpenPGP and GnuPG? That's not a surprise: it's a popular crypto solution and it's a relatively easy target, comparatively to some other mainstream crypto implementations. The Go langage maintainer even deprecated the OpenPGP implementation in their crypto standard library because they think OpenPGP is dangerous
Basically, I would say that the only thing that OpenPGP has for itself is the deployed infrastructure. Or has it? Web of trust is mostly dead, since keyservers are out-of-service. And OpenPGP adoption was never really that high to begin with.
SSH keys are much more widely deployed and used that OpenPGP keys. The format is dead simple, and the crypto implementation from OpenSSH is up-to-date.
I am very happy that git made SSH signing possible; it means I can delete my OpenPGP keys for good. I just hope linux distros will make the switch soon, to a more modern crypto approach: ssh signing or minisign.
If you're wondering about the status of the project, it hasn't gone anywhere!
We're having a little discussion about it here, if you're at all interested in helping out: https://github.com/writefreely/writefreely/discussions/550
Serving your content as a git repository allows people to clone your content to keep it available. It is also easy to redistribute your work.
People can read your content while offline.
You can provide certificate of origin and assert authenticity by signing your commits/publications.
Versioning is built-in, which allows readers to reference a particular version of your work.
Permalinks are built-in.
Content addressing is built-in.
External contributions are easy to receive and accept.
The web is volatile. HTTP URLs are doing a terrible job at keeping content accessible over time. People just stop hosting their content, lose data or interest or track about their publications to restore URLs after a migration.
I studied IPFS, but IPNS is a failure because of the crippling slowness of resolution.
I laughed at the Web3 BS.
And yet, I found that a blockchain is the solution: git. From now on, I'll write (formatted) plain text, store it in Git and serve the repository.
slower computers, please
I'm a computer guy, but I'm very much over fast computers. Most of your computer's resources are wasted loading ads and trackers on webpages. Video games require more and more power to deliver less interesting experiences. Don't get me started on cryptocurrency. Computers are getting increasingly complex, therefore less reliable, nearly impossible to repair, wasteful, and devastating to the environment. We need #slowcomputers and more #retrocomputing
A feature of email is that my inbox is an immutable copy of everything I received no-one can change.
With email, I can prove I've been harassed, sent malware, wrong links, illegal orders by my employers, the date of an event I've missed because it was wrong and I'm innocent, etc.
With Google AMP, the sender will be able to "update" those emails and deny his mistake, hide proofs, fake the history.
This technology put people at risk.
Super-excited to announce the highly anticipated independent audit by @LeastAuthority@twitter.com of vodozemac - our next generation native Rust reference implementation for Matrix E2EE (part funded by @email@example.com). Read all about it: https://matrix.org/blog/2022/05/16/independent-public-audit-of-vodozemac-a-native-rust-reference-implementation-of-matrix-end-to-end-encryption
Very good question. Thank you for asking.
To encrypt files, I guess one could use age
Emails are the tricky part. It really depends on your workflow. When I was working for a gov infosec agency, we learned to never use any integrated email crypto solution. Save the blob, decrypt the blob in a secure environment. This helps significantly against leaks and against creating an oracle to the attacker's benefit.
OpenPGP is rarely used in messaging protocols, but if it was I would probably advise leveraging a double ratchet library.
2022, people still ~~use~~ make new implementations of OpenPGP.
What's wrong with these people??
I just noticed "foreach" on npm is controlled by a single maintainer.
I also noticed they let their personal email domain expire, so I bought it before someone else did.
I now control "foreach" on NPM, and the 36826 projects that depend on it.
Your Phone May Soon Replace Many of Your Passwords
GitHub will require all code contributors to use two-factor authentication
A Mastodon instance for info/cyber security-minded people.