"The sequoia-openpgp crate (Rust’s terminology for a library) is a low-level, policy-free OpenPGP implementation. Our goal was to implement all of RFC 4880, and provide an API that can be used to access and modify pretty much everything, but is simultaneously secure by default."
This is pretty exciting. Hope this gives the OpenPGP ecosystem a long needed push and more attention!
"Sequoia was started 3.5 years ago by Justus Winter, Kai Michaelis and me, Neal Walfield. Prior to working on Sequoia, the three of us had worked together at g10code on GnuPG."
I’d recommend that people avoid PGP and use modern cryptography. Eg. AGE, It uses far less and simpler code, so it can be audited. PGP is a complicated old mess.
OpenPGP is a standard, and a very flexible one. Not all implementations need to support all features. You cannot compare it to something like AGE, which is simply a single implementation without any effort to turn it into a standard about anything, nor the goal to support various use cases. We could go on talking about the differences of approach and the benefits and drawbacks of standardization, flexiblity, libraries vs. end-user applications etc, but that's been discussed times and times again here and elsewhere. There is simply no alternative to OpenPGP the standard and its efforts. Or can you point us at one?
Have you looked at the OpenPGP spec? I find it pretty readable, and you will quickly see how it cannot be compared to any single application.
I understand that AGE also has a "spec". It is limited to a single use case, encryption. No signatures, no certifications, no thoughts on key discovery or trust, etc etc.
Sadly age is only tackling one of the easier parts of gnupg, encrypting files. Implying age replaces gnupg is overselling it.
We don't have any good alternatives for a web-of-trust (or something akin) where we can sign files or attest trust to some identity. Signify does parts of this, but lacks the trust aspects which makes you establish convoluted key distribution schemes to ensure you have future signing keys lined up.
There isn't any good replacements for F/OSS developers that needs to have some from of signatures between them. Say replace linux distributions usage of signatures to form some network of developer trust.
Are you claiming that the Sequoia implementation of the OpenPGP standard is a "complicated old mess"? Because the OpenPGP standard (RFC 4880) isn't really all that complicated. A significant portion of is a bit by bit description of the key format.
At any rate, age is hardly any sort of replacement for OpenPGP. It is really only suitable for the case where you want to encrypt something like a backup and not bother to sign it. I am not really sure that it is superior even for that niche case. Most people would want to know a backup is corrupt before they started the restore, not partway through it.
Despite what the few naysayers in this thread would like to have you believe, there is a growing number of projects that rely on OpenPGP for security. Having a modern library for working with them is a giant plus no matter how you spin it.
A big thank you to everyone who worked to get sequoia this far.
tl;dr: PGP is absurdly complex, mired in backwards compatibility with broken crypto algorithms, and relies on long-term secrets with no forward secrecy.
In this very blog post, Sequoia PGP explains that they continue to support SHA-1, which was broken in 2005, for backwards compatibility reasons. They've added some code to mitigate the damage (introducing more complexity); they hope to turn off SHA-1 in 2023.
Cool. In the meantime, don't use PGP, not even Sequoia PGP. Use Signal to transfer messages and files. Use full-disk encryption for encrypting backups. Use Minisign to sign packages. Use libsodium for encrypting app data.
EDIT: This post is currently at -3 downvotes without comment, presumably from folks who think SHA-1 is just fine and that I'm overstating the case. I ask you to just read the link I posted and explain why you think PGP is good, actually, despite its terrible reputation among professional cryptographers and security professionals.
"We can’t say this more clearly or often enough: you can have backwards compatibility with the 1990s or you can have sound cryptography; you can’t have both."
You tell people not to use PGP, then recommend using Signal.
Signal requires a phone number and phone to sign up. The Signal backend server is run by Signal Messenger LLC. As far as I understand, you can't run your own backend server, there's some restriction there.
Signal's encryption is open and audited/auditable, and is convenient however it's not widely implemented in a public manner (Whatsapp and some other sites apparently use it; have consulted with Signal.)
I know PGP has flaws, the other replyee posted a link even.
But in less than 5 minutes, for free, and without violating my privacy to captchas or barbaric service terms, I can:
- Sign up for a brand new email address from a privacy respective service, on (almost) any device/system
- Generate a PGP keypair on (almost) any device/system
- Share the pubkey with a receiver
- Instantly send encrypted content
Is it more inconvenient than installing Signal? Yes, but it's far more flexible.
And I agree with the other replyee, this reply sounds more like a dislike of SHA-1, which is fine, rather than "don't use PGP".
Anyway, yes everyone who uses proprietary or anti-user messaging platforms should move to Signal/Matrix.
* The encrypted emails you send will transmit the headers in plaintext, including the sender, the recipient, and the subject line (which is message content!)
* Anyone who replies to your email unencrypted (which is the default way to reply, because email is insecure by default) will leak not just their own message but your encrypted message as well
* Every archived message will eventually leak
PGP offers you more control over the infrastructure, which might be valuable to you, but that control comes at a cost of reduced security. That's not an appropriate tradeoff for anyone who actually needs to send a secure message.
The link you've given is good, but I think it misses two major aspects that the suggested alternatives don't deal with: identity management+verification and ease of key management.
The former being something entire countries are struggling with, how do we know the correct person is actually receiving the content, how can I be sure? WoT, PKI, whatever. You fail this, the rest is in practice IMHO less than useless. There's things like https://keybase.io that did try to solve this to a reasonable extent, PGP but more modern. It looked hopeful, but Zoom seems to only keep it on life support. Maybe someone will continue, anyways, I digress.
The second aspect is IMHO what determines how usable it is for a single person over long period of time. Maintaining backups of minisig keys, chat keys (or even not being able to do so), file encryption keys is difficult to say the least. It's unlikely you'll even be able to use a HSM for your secrets like a YubiKey. The same negatives listed against PGP apply to other systems suggested in the article. For example how do I communicate to people sending me encrypted messages that I lost and migrated to a new key/subkey? It's a very hairy problem.
(This reminds me, does anyone here know how to get PGP paper keys that use only english words e.g. "brunch pineapple house crow ..."? And does anyone know why we aren't using english words to compare PGP key IDs yet?)
I agree with a lot what the article lists, but the alternatives suggested really aren't compelling when looking at the actual problem. Judging based on the market share, I think I'm not the only one that thinks so.
> (This reminds me, does anyone here know how to get PGP paper keys that use only english words e.g. "brunch pineapple house crow ..."? And does anyone know why we aren't using english words to compare PGP key IDs yet?)
PGP invented that, and if you use actual PGP it will tell you your key fingerprint in English words, using https://en.wikipedia.org/wiki/PGP_word_list . Someone submitted a patch to GPG to do the same, but it got rejected for being non-localisable and bikeshedded to death.
> There's things like https://keybase.io that did try to solve this to a reasonable extent, PGP but more modern. It looked hopeful, but Zoom seems to only keep it on life support. Maybe someone will continue
It seems there's already Keybase like solution using OpenPGP only (no centralized infrastructure needed): https://keyoxide.org/
It seems it is mandatory to post a link to "The PGP Problem" whenever anyone as much as mentions PGP. To save repetition, here is the link to my critique of that particular anti-PGP rant:
You've misunderstood a lot of Latacora's critique, but I think the most important point you've misunderstood is "negotiation."
> PGP does not do negotiation. It can't. PGP supports asynchronous store and forward applications. It works over a one way channel. Your cipher, digest, and compression preferences come along with your public key They are signed and so are protected by the base cryptographic system. An adversary would have to break the cryptography to modify your preferences.
> I do not agree that compatibility is a bad thing. PGP is actually a good example of how to deal with backwards compatibility in a good way.
"Negotiation" here doesn't mean a synchronous back-and-forth conversation. "Negotiation" in this case means, "if you're not sending me the most secure version, I'll just accept a somewhat less secure version."
PGP encrypted messages are "take it or leave it," but that doesn't mean that PGP doesn't do negotiation. Instead, it means that the PGP implementations decide how much insecurity to accept in favor of backwards compatibility.
Here, in the blog post linked at the top of this page, Sequoia moans that they can't bring themselves to turn off SHA-1 because Debian developers use it. They're accepting a less-secure implementation for backwards compatibility. It's right there in TFA.
I'll tell you what: instead of "don't use PGP," how about "Don't use SHA-1 and don't use any tool that accepts SHA-1 by default." Today, in 2020, that means "don't use GPG, and don't use Sequoia PGP" and I'm confident that it means "don't use PGP ever again," but you and I don't have to agree on that.
The fact that you can change the defaults to be more secure and less backwards compatible doesn't make PGP safe to use. It's dangerous by default. Don't use it, and don't advocate that others use it, until PGP is secure by default (in other words, never).
The other thing you've misunderstood is the problem with long-term keys.
> Most people prefer to keep their identity indefinitely. That is why, say, the Signal protocol also has a “practically-forever root key tied to their identity”. It is inherent to the problem.
No. Long-term public identifiers are indeed, desirable, but PGP's public identifiers are paired with secret keys. Tying your identity to your public key means that you can't change your secret key unless you change your public identifier as well. (In Signal terms, that would be like saying that you can't rotate your secret key without changing your public phone number, which would be absurd.)
I was gonna say something about phone numbers and network analysis, but the link above said it better.
>>1 Mobile number
>>Unlike obsolete encryption systems, we require mobile phone to register in our system. Your account is tied to your phone number. Never mind that in many countries around the world SIM-cards can be bought only after presenting a legal ID, and that mobile networks themselves have all-encompassing LI (Lawful Interception) interfaces by design. Also let's ignore the fact that mobile networks still heavily rely on SS7 protocol stack from the 70s, with the security model based on gentlemen's agreement. Some people claim that words "mobile network" and "secure" can't be used in the same sentence, but our security experts think it's very safe. Do you guys not have phones?
It would be great if that were possible. Git commit signing is something that I would love to see be more commonplace, since it is a key part of a secured code supply chain. At my workplace I lead a project to make commit signing mandatory on our git repos, which I wrote about here: https://eos.arista.com/commit-signing-with-git-at-enterprise... .
One of the painful aspects of this was using the gpg tools. They are products of an earlier age and don't display helpful error messages, nor do they display easy to parse messages. I realize that Sequoia doesn't currently have a JSON API, but it looks like one is planned for the future, so that it two thumbs up from me.
Readit News
This is pretty exciting. Hope this gives the OpenPGP ecosystem a long needed push and more attention!
"Sequoia was started 3.5 years ago by Justus Winter, Kai Michaelis and me, Neal Walfield. Prior to working on Sequoia, the three of us had worked together at g10code on GnuPG."
https://age-encryption.org/
Have you looked at the OpenPGP spec? I find it pretty readable, and you will quickly see how it cannot be compared to any single application.
I understand that AGE also has a "spec". It is limited to a single use case, encryption. No signatures, no certifications, no thoughts on key discovery or trust, etc etc.
We don't have any good alternatives for a web-of-trust (or something akin) where we can sign files or attest trust to some identity. Signify does parts of this, but lacks the trust aspects which makes you establish convoluted key distribution schemes to ensure you have future signing keys lined up.
There isn't any good replacements for F/OSS developers that needs to have some from of signatures between them. Say replace linux distributions usage of signatures to form some network of developer trust.
At any rate, age is hardly any sort of replacement for OpenPGP. It is really only suitable for the case where you want to encrypt something like a backup and not bother to sign it. I am not really sure that it is superior even for that niche case. Most people would want to know a backup is corrupt before they started the restore, not partway through it.
$ age-keygen -o key.txt Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p $ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age $ age -d -i key.txt data.tar.gz.age > data.tar.gz
A big thank you to everyone who worked to get sequoia this far.
tl;dr: PGP is absurdly complex, mired in backwards compatibility with broken crypto algorithms, and relies on long-term secrets with no forward secrecy.
In this very blog post, Sequoia PGP explains that they continue to support SHA-1, which was broken in 2005, for backwards compatibility reasons. They've added some code to mitigate the damage (introducing more complexity); they hope to turn off SHA-1 in 2023.
Cool. In the meantime, don't use PGP, not even Sequoia PGP. Use Signal to transfer messages and files. Use full-disk encryption for encrypting backups. Use Minisign to sign packages. Use libsodium for encrypting app data.
EDIT: This post is currently at -3 downvotes without comment, presumably from folks who think SHA-1 is just fine and that I'm overstating the case. I ask you to just read the link I posted and explain why you think PGP is good, actually, despite its terrible reputation among professional cryptographers and security professionals.
"We can’t say this more clearly or often enough: you can have backwards compatibility with the 1990s or you can have sound cryptography; you can’t have both."
You tell people not to use PGP, then recommend using Signal.
Signal requires a phone number and phone to sign up. The Signal backend server is run by Signal Messenger LLC. As far as I understand, you can't run your own backend server, there's some restriction there. Signal's encryption is open and audited/auditable, and is convenient however it's not widely implemented in a public manner (Whatsapp and some other sites apparently use it; have consulted with Signal.)
I know PGP has flaws, the other replyee posted a link even. But in less than 5 minutes, for free, and without violating my privacy to captchas or barbaric service terms, I can:
- Sign up for a brand new email address from a privacy respective service, on (almost) any device/system
- Generate a PGP keypair on (almost) any device/system
- Share the pubkey with a receiver
- Instantly send encrypted content
Is it more inconvenient than installing Signal? Yes, but it's far more flexible.
And I agree with the other replyee, this reply sounds more like a dislike of SHA-1, which is fine, rather than "don't use PGP".
Anyway, yes everyone who uses proprietary or anti-user messaging platforms should move to Signal/Matrix.
* The encrypted emails you send will transmit the headers in plaintext, including the sender, the recipient, and the subject line (which is message content!)
* Anyone who replies to your email unencrypted (which is the default way to reply, because email is insecure by default) will leak not just their own message but your encrypted message as well
* Every archived message will eventually leak
PGP offers you more control over the infrastructure, which might be valuable to you, but that control comes at a cost of reduced security. That's not an appropriate tradeoff for anyone who actually needs to send a secure message.
SHA-1 is just the cherry on top.
The former being something entire countries are struggling with, how do we know the correct person is actually receiving the content, how can I be sure? WoT, PKI, whatever. You fail this, the rest is in practice IMHO less than useless. There's things like https://keybase.io that did try to solve this to a reasonable extent, PGP but more modern. It looked hopeful, but Zoom seems to only keep it on life support. Maybe someone will continue, anyways, I digress.
The second aspect is IMHO what determines how usable it is for a single person over long period of time. Maintaining backups of minisig keys, chat keys (or even not being able to do so), file encryption keys is difficult to say the least. It's unlikely you'll even be able to use a HSM for your secrets like a YubiKey. The same negatives listed against PGP apply to other systems suggested in the article. For example how do I communicate to people sending me encrypted messages that I lost and migrated to a new key/subkey? It's a very hairy problem.
(This reminds me, does anyone here know how to get PGP paper keys that use only english words e.g. "brunch pineapple house crow ..."? And does anyone know why we aren't using english words to compare PGP key IDs yet?)
I agree with a lot what the article lists, but the alternatives suggested really aren't compelling when looking at the actual problem. Judging based on the market share, I think I'm not the only one that thinks so.
PGP invented that, and if you use actual PGP it will tell you your key fingerprint in English words, using https://en.wikipedia.org/wiki/PGP_word_list . Someone submitted a patch to GPG to do the same, but it got rejected for being non-localisable and bikeshedded to death.
It seems there's already Keybase like solution using OpenPGP only (no centralized infrastructure needed): https://keyoxide.org/
maybe BIP39? (afaik it's used for paper keys in bitcoin-adjacent things)
https://github.com/bitcoin/bips/blob/master/bip-0039.mediawi...
* https://articles.59.ca/doku.php?id=pgpfan:tpp
> PGP does not do negotiation. It can't. PGP supports asynchronous store and forward applications. It works over a one way channel. Your cipher, digest, and compression preferences come along with your public key They are signed and so are protected by the base cryptographic system. An adversary would have to break the cryptography to modify your preferences.
> I do not agree that compatibility is a bad thing. PGP is actually a good example of how to deal with backwards compatibility in a good way.
"Negotiation" here doesn't mean a synchronous back-and-forth conversation. "Negotiation" in this case means, "if you're not sending me the most secure version, I'll just accept a somewhat less secure version."
PGP encrypted messages are "take it or leave it," but that doesn't mean that PGP doesn't do negotiation. Instead, it means that the PGP implementations decide how much insecurity to accept in favor of backwards compatibility.
Here, in the blog post linked at the top of this page, Sequoia moans that they can't bring themselves to turn off SHA-1 because Debian developers use it. They're accepting a less-secure implementation for backwards compatibility. It's right there in TFA.
I'll tell you what: instead of "don't use PGP," how about "Don't use SHA-1 and don't use any tool that accepts SHA-1 by default." Today, in 2020, that means "don't use GPG, and don't use Sequoia PGP" and I'm confident that it means "don't use PGP ever again," but you and I don't have to agree on that.
The fact that you can change the defaults to be more secure and less backwards compatible doesn't make PGP safe to use. It's dangerous by default. Don't use it, and don't advocate that others use it, until PGP is secure by default (in other words, never).
The other thing you've misunderstood is the problem with long-term keys.
> Most people prefer to keep their identity indefinitely. That is why, say, the Signal protocol also has a “practically-forever root key tied to their identity”. It is inherent to the problem.
No. Long-term public identifiers are indeed, desirable, but PGP's public identifiers are paired with secret keys. Tying your identity to your public key means that you can't change your secret key unless you change your public identifier as well. (In Signal terms, that would be like saying that you can't rotate your secret key without changing your public phone number, which would be absurd.)
https://blog.erlang.moe/2020-12-01-acme-messenger.html
>>1 Mobile number
>>Unlike obsolete encryption systems, we require mobile phone to register in our system. Your account is tied to your phone number. Never mind that in many countries around the world SIM-cards can be bought only after presenting a legal ID, and that mobile networks themselves have all-encompassing LI (Lawful Interception) interfaces by design. Also let's ignore the fact that mobile networks still heavily rely on SS7 protocol stack from the 70s, with the security model based on gentlemen's agreement. Some people claim that words "mobile network" and "secure" can't be used in the same sentence, but our security experts think it's very safe. Do you guys not have phones?
One of the painful aspects of this was using the gpg tools. They are products of an earlier age and don't display helpful error messages, nor do they display easy to parse messages. I realize that Sequoia doesn't currently have a JSON API, but it looks like one is planned for the future, so that it two thumbs up from me.
It keeps the identity out of the key. If the user requires inclusion of the identity, it must be verified by confirming an email.
https://latacora.micro.blog/2019/07/16/the-pgp-problem.html
Deleted Comment
Having said that, if you need to use it, it's awesome that now it has a modern and saner implementation.