Sorry but what is the actual point of this blog post?
GPG is just one guy. Who's practically beggared himself writing and maintaining the tool.
GPG is actually used by human rights activists, journalists etc. That, right there, is reason enough to celebrate it and NOT "kill it off".
I think the massive pile-on this is creating is really dumb, to be honest. So Moxie thinks it could be done better; that's great. He's good enough that he can "show, not tell".
Why waste time denigrating a project that's basically a labour of love for one guy that is actually tremendously important, even if it's "90's technology"? Old doesn't necessarily mean bad.
> Why waste time denigrating a project that's basically a labour of love for one guy that is actually tremendously important, even if it's "90's technology"? Old doesn't necessarily mean bad.
In the world of crypto, where we've learned so much, yes old means bad. Almost always.
Why denigrate GPG? Unfortunately, because the message that it's not good isn't being widely heard.
How many NEW crypto projects are being created that start out by saying, "first we will use GPG"? I've seen lots. OK, you failed right there, right at the start. Don't do that.
How many crypto geeks STILL spout rubbish about how the PKI is totally busted and the web of trust is the future? Way too many. WoT is sort of like the year of desktop Linux by now. It's just a bad joke that too many people won't let go of.
The most serious and effective applied cryptographers I know about are all ignoring GPG and rolling new modern crypto protocols. I feel the same way as Moxie - if you build a product based on GPG then almost immediately you are less interesting than a project that's doing something new.
And FWIW I have the same sinking feeling when I get a GPG encrypted email. Sometimes I don't read it immediately, I put it off. Sometimes I have to put it off because I'm not near my laptop. And when I decrypt it, inevitably I discover that I could have guessed the contents of the mail from the subject line and identity of the sender. The encryption was largely pointless to begin with.
The future of encrypted messaging is not GPG. We need to collectively let it go.
It's not about GPG sucking; it's about the absence of anything sucking less than GPG.
It's not about activists and journalists being (more or less) able to use GPG; it's about the fact that nobody who doesn't face as deadly a risk as them would bother to use GPG.
I didn't feel any denigration reading him; rather, the statement that:
* We have new crypto needs, in wake of revelations such as Snowden's;
* GPG isn't an adequate answer to those needs, and isn't likely to evolve into one;
* Tech people don't realize that GPG is unlikely to morph into an adequate solution, and therefore don't bother starting an alternative.
Finally, I believe that a successful answer would rely on excellent UX and PR at least as much as sound crypto. I'm not aware that Moxie is an expert in these fields (although he might have more talents than I know), so it's not obvious that he's in a position of showing rather than telling.
We need very good quality encryption software that is not really hard to use.
PGP is impossible for many people to use correctly. That means there is a bunch of -- often insecure -- software to fill the gap.
So the people who really need PGP/GPG have to struggle to use it and don't know if they've managed it or they use some other software instead that probably doesn't protect them.
GPG is just one guy. Who's practically beggared himself writing and maintaining the tool.
GPG is actually used by human rights activists, journalists etc. That, right there, is reason enough to celebrate it and NOT "kill it off".
I think the massive pile-on this is creating is really dumb, to be honest. So Moxie thinks it could be done better; that's great. He's good enough that he can "show, not tell".
Why waste time denigrating a project that's basically a labour of love for one guy that is actually tremendously important, even if it's "90's technology"? Old doesn't necessarily mean bad.