Some thoughts on the future of OpenPGP and GnuPG

[Andrew Gallagher]

On 2019/07/01 17:32, karel-v_g--- via Gnupg-users wrote:

> So my question as a user with a need for strong mail encryption is,
> whether it is not a time to start over with an all new encryption
> standard replacing OpenPGP and S/MIME completely.

The main problem with OpenPGP isn't that its guts are old and slightly
klunky. Many other things that the internet relies on are old and
slightly klunky, but they still do the job. Where it does fall down
often is in ease of use, both for end users and developers. And this is
where most mature software projects end up putting most of their time,
because "fit for use" is an order of magnitude more difficult than "fit
for purpose". [1]

The problem is that a) there's no revenue model for email security, so
the big companies are reluctant to work on it for profit, and b) it's
not sexy, so the talented youngsters aren't willing to work on it for
fun. That will be true of any replacement, which is why despite people
suggesting a modern replacement for over a decade, nobody has actually
made one. And while starting from scratch may look tempting because it
gets rid of all the technical debt, it also gets rid of all the
technical assets.

Yes, there are sexy new things like Signal, but they got to where they
are by doing one (relatively straightforward) thing and doing it well.
OpenPGP is a generalist tool, which explains both why it has ended up
quietly embedded in so many other things, and why it is so difficult to
upgrade or replace.

> To propagate the distribution of this
> hypothetical new format it might be useful to get some of the major
> mailproviders, business software companies and mail software vendors
> might be useful

And this is the crux of the problem. If the big mail providers took
email security seriously, we would never have got here in the first
place. But the nature of email is that nobody owns it, therefore it is
nobody's job to fix it. And the people who care have real jobs and
mortgages.

[1]
https://www.quora.com/What-is-the-service-utility-and-warranty-in-ITIL-v3

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190702/50403a93/attachment.sig>