By the way, I haven't used PGP for a while beyond bootstrapping better forms of authenticated encryption or signing. I do occasionally deal with looking at the backlog of PGP encrypted emails, and I will sign emails as needed to confirm my identity, but I won't encrypt my mail.
Conversation
It's a completely garbage legacy technology with awful usability and poor security. I have no reason to encrypt emails to strangers because I'm not going to write anything I wouldn't write publicly here anyway. For anyone I want to talk to privately I switch to using Signal, etc.
3
4
Replying to
I wish Signal could be federated. Right now it's a huge central point of failure.
2
Replying to
Federation is a huge liability in other ways and holds back the privacy and security of the ecosystem by requiring backwards compatibility and ending up with a bunch of awful / poorly maintained implementations. I used to believe in XMPP + OMEMO, but I don't use it in practice.
1
2
I think Matrix is a great example of everything that's wrong with federation. It was an opportunity to prove otherwise, but it did the opposite. Trying to be all things for all people and prioritizing features above privacy / security is a serious issue. Extensions are an issue.
1
Signal has taken a slow and steady approach to implementing features in a way that fits into the privacy and security focus. If there were other clients / servers innovating and racing to come out with features, it would be a problem. There are federated alternatives to Signal.
1
I think Signal has ended up being such a good option largely because it has centralized development and implementations. Once it has usernames, other federated servers for those could work, but they'd need to be forced to upgrade promptly, which is probably just not realistic.
1
So, lets say that one of these is used by 100k people and stops being promptly upgraded. They want to drop support for the old protocol version, as it's holding back development and those users also aren't going to be secure. What happens? Should they just break that server?
They did attempt federation at one point and if I remember correctly it turned out very badly. I think it was bundled into CyanogenMod with them having their own server, and they didn't take it seriously. Worth noting Signal's client expires and must be updated quite quickly too.
1
The same thing would have to apply to servers, but users wouldn't have a way to deal with it. They can't force the maintainer of their server to update. Also means people will be using servers that are going to go down which wipes out their identity. Happened to me on XMPP twice.
1
Show replies