blog

my (and your) PGP habits could be better

2018 Jul 15, by opal hart (PGP signature)

I am an opportunistic PGP user, and I've used PGP for quite some time. if you encrypt mail to me, I'll encrypt back. if a download has a signature, I'll check it. I sign every one of my blog posts automatically, thanks to some dirty hacks to bashblog.

what's the issue then? well, I don't always do it religiously. I used to have a proper canary, but I abandoned it because it was a hassle on my end and I was afraid that nobody checked it anyway (I was wrong, one person actually did check it). that's why I have switched to blogging, which is sort of a more natural medium to sign and doesn't require me to go as out of my way to update (and even then, I have been slacking on my blog really hard).

there are some other issues with my current use of PGP. check to see if the following also applies to you:

here are some issues I have seen with others' use as well as when I have been trying to use PGP with others:

and lastly, usability and interface issues. it feels like XMPP all over again, what with all the different clients and none of them implementing the full standard in a correct and easy-to-use manner. there are practically no full-featured GUI frontends for PGP, and the GnuPG commandline implementation discourages newbies (and even people like me) from figuring out how to correctly maintain personal keypairs and a full keyring. I use keys for different purposes (some for E-mail, others for download signing) and it isn't immediately obvious that I could probably have two or more keyrings for that. also, is it possible to attach metadata to PGP keys (such as your XMPP account, website, or anything else that could possibly help verify people)? if it's possible, I surely don't know how to do it, nor do I know where I can search for more information.

so, my suboptimal use of PGP is everyone's fault. and if you use PGP, you're probably using it suboptimally as well. I don't want to bash PGP outright for being a poor standard – I mean, come on, it has been around for decades, and it's still suggested by security professionals. but over those decades, very little has been done to change the state of affairs, and it's so easy to use it wrong.

as always, I accept E-mail replies to my posts, but I especially want to hear readers' thoughts on this. I want to gauge how others use PGP, and I want to see what others believe should be the correct way of using it.

Tags: security