-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 tl'dr Look... Cathal, I do like what you've done in the tiny realm of code ~ short, simple, and to the point, some examples being: Deadlock ~ dead simple encryption https://pypi.python.org/pypi/deadlock P2P, serverless microstatus system in 30 lines of pure python https://github.com/cathalgarvey/tinystatus (slooooowwwwww claaaaaaaappssssss) So with that out of the way, I have to say, though, your criticism which has appeared on my TL before of PGP is in my view, unwarranted, because, GnuPGP just aren't getting the funding need(ed) to get what should be done, done. It's been done essentially by one person. And frankly they could use a bit of help in getting out the word. Here's a thoughtful post from bytemark on this subject: (Please read it) https://blog.bytemark.co.uk/2014/12/31/gnupg-funding-drive (from Dec. 31, 2014) Then go on to read this thing: https://gnupg.org/donate/index.html As you see they accept all kinds of payment vehicles (and also bitcoin is one of them) And now here's the kicker: This two-person team which they are trying to get funded, IS NOT FUNDED! Take a look here: https://gnupg.org/index.html Again: NOT. FUNDED. And yes, interfaces like Keybase.io _are_ the future (I've been playing around with it and currently have it in my signature, though I use a different key block (not keybase) for people to use for to import in association with my e-mail), because they make it easier for a larger number of people to access keys either through something like keybase service where they host keys, or through a CLI where you hold all that closely. Merkle tree, blockchain, etc. But this begins in my view with a strong froundation, which we have from the work which was done from Gnupg. (In fact, Keybase.io, and any business like it in the future, relies on Gnupg.) If I was rolling in dough ($$) right now I would dump a giant fat amount of 86,000 € that they are missing so that they would be able to get going on the Gnupg second developer's work right away. So... enough of the rambling on, can someone who knows someone who has benefited from this economic ups and downs, please forward this e-mail on to them and ask them if they'd be willing to contribute to https://gnupg.org/donate/index.html I have absolutely zero financial interest in seeing this happen but I know it would help make a better world. - -O Cathal Garvey:
How about Pond as email replacement?
I've looked at Pond long enough to see that it calls upon Tor for most of the anonymity heavy-lifting, and that it is clearly targeted at technical users. Most of the people in my life who I speak privately to are not technical. I don't think trivial UX is near in Pond's development roadmap.
I'm curious what you (and others here) think about Keybase, which also seems heavily targeted at normal users. There was some discussion here in mid 2014, but Keybase has been tweaked a lot since then. I'm quite impressed with its usability, but I don't have the expertise to properly evaluate its security. I am uncomfortable with the option of uploading private GnuPG keys, and counting on symmetric encryption for securing them. Better I think would be helping users understand how to properly migrate keys between devices, or perhaps to use smartcards.
Keybase could have been a great way to encourage PGP uptake among normal people years ago when things were accepted to be difficult universally, but PGP's days are behind us. PGP makes a good way to sign code but remains a terrible way to communicate securely, because although it's "uncrackable" when used correctly, it's very easy to accidentally screw up using PGP on either end of the conversation. Also, the lack of PFS ignores parts of the modern threat model that were speculative when PGP was created.
Suffice to say that, even ignoring the issues with Keybase encouraging key escrow by "allowing" or encouraging key upload (!!!), I don't think it helps. Perhaps as a basis on which to build a web-of-trust that can be transposed into newer cryptosystems, but the key escrow part makes falsification of trust a real possibility.
Anyway, maybe that's just me.
- -- http://abis.io ~ "a protocol concept to enable decentralization and expansion of a giving economy, and a new social good" https://keybase.io/odinn -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJUuN5SAAoJEGxwq/inSG8CdKAH/2/gttWAuEztLTgK5OnrGwQR Qe0kBfxRr8rlG64jtVvRp9nJODiCOMZdQczbN1Vs4GvKmTEAfULLj/m3PbRMkfSB lJw6sXZtF2XjjstqWgvrFpi49htRtlxT+xa9kMc26jxatR9ux62mcdQLyKPx78NW sjv/Hhd1xGLGsWm0o2so3f+9SX6cfBJS50OvgxEHyZqX/S/4AK6F+td1lurt0H+K haTAR3VssPVmz2g+jXcakLUoD1EdCW1t57ODFul+93y2QyOBUReLbAvkdLXyY8fl BNu+fQnSIKrUMQScu87XKqews1VBt3BqeEmYmGdacQt1f545RrJTNyzd9tJL/+Q= =ntrD -----END PGP SIGNATURE-----