Thank you for this well written informative article!
I have a few of questions.
1. There was work in progress to update the OpenPGP protocol, eg, RFC 4880bis. What’s the status of this draft? When can users expect AEAD from OpenPGP?
Some of the criticisms of PGP are lack of modern authentication, lack of forward secrecy, and limited usability.
FS is probably not relevant to email that involves long-term storage. UX is out of scope of protocol. AEAD however is expected these days. MDC isn’t modern authentication.
2. Is PGP currently effective against powerful adversaries?
3. What do you think of claims that sequoia is an interesting project in a doomed echo system?
1. Unfortunately, the draft is progressing much slower than many people would like. This is partially because not all parties agree on the best way forward for a number of technical decisions that need to be made including AEAD. See for instance this discussion: https://mailarchive.ietf.org/arch/browse/openpgp/?gbt=1&inde...
Happily, the group was rechartered at the beginning of this year and the charter is more narrow (just a cryptographic refresh). So, I'm hopeful that we'll see a new version of OpenPGP in the near future.
2. I present some evidence that pgp is effective against powerful adversaries despite its bad UX in my blog post.
We (Sequoia PGP) are working on improving the UX. Currently we are focused on the plumbing. We have a library, which we put a lot of effort into making not only feature completely, but also safe. We spent a lot of time thinking about the API usable and how to make it secure by default. We're working our way up the stack with tools like Hagrid (which powers keys.openpgp.org) and OpenPGP CA (https://openpgp-ca.org), a tool for administering in-house, federated CAs.
3. If I thought the project I was working on was doomed, I'd stop :D.
It’s good news that we will see a new version soon.
The current version is probably secure, but an update is still needed if only for marketing (features such as AEAD or FS have become partly selling points; they may not be relevant in some cases).
1. The last I looked the initiative was somewhat on pause. It turned out that the question of how best to avoiding emitting unauthenticated data in an authenticated encryption scheme for large streams/files was still open (see the age encryption utility for an example of an approach). At one point they had an implicit requirement for infinite memory. OpenPGP is primarily a message format. It would be inappropriate to use the standardization process to design and promote new cryptography. I suspect that this will start up again when there is more consensus as to the optimal approach. There is no huge hurry for email or file encryption as they are normally resistant to the sort of oracle attacks that AE prevents.
The MDC has fared remarkably well over the years. There doesn't seem to be any huge hurry there either.
2. Probably. There isn't really very much there to attack. The actual cryptography is quite simple. When used for email you can do everything offline in a secure environment. So it is probably the strongest system commonly available in practice.
I have a few of questions.
1. There was work in progress to update the OpenPGP protocol, eg, RFC 4880bis. What’s the status of this draft? When can users expect AEAD from OpenPGP?
Some of the criticisms of PGP are lack of modern authentication, lack of forward secrecy, and limited usability.
FS is probably not relevant to email that involves long-term storage. UX is out of scope of protocol. AEAD however is expected these days. MDC isn’t modern authentication.
2. Is PGP currently effective against powerful adversaries?
3. What do you think of claims that sequoia is an interesting project in a doomed echo system?