While we're on the GPG topic, the thing that's struck me as wrong with the whole UX and key infrastructure is the statefulness and lack of compartmentalization.
Conversation
I'm supposed to have keys for people with whom my correspondence is potentially secret, stored in a keyring alongside all my other keys, and visible any time I list/search my keys? WTF.
3
5
Replying to
GPG doesn't even provide the functionality to specify a file and the key to verify it. It will attempt to use any key in the keyring. To do something like that without needing to carefully check the output afterwards, you need to use separate keyrings for nearly every use of it.
I've thought it was awful for years, but for a while I signed all my emails with it and encrypted email whenever possible. I've moved on from that and no longer consider it worth using. The usability / security is just too awful, and needing to import so many keys makes it worse.
1
2
Last month, I made a thread explaining that I no longer use it regularly for email for quite some time (at least a year). I'm only willing to use it to bootstrap saner approaches, like Signal. I have Matrix too, but I'm not sure how much I trust that yet.
Quote Tweet
By the way, I haven't used PGP for a while beyond bootstrapping better forms of authenticated encryption or signing. I do occasionally deal with looking at the backlog of PGP encrypted emails, and I will sign emails as needed to confirm my identity, but I won't encrypt my mail.
Show this thread
1
Show replies