Let’s Declare GPG a Dead End for Encrypted Email

Moxie Marlinspike:

Looking forward, however, I think of GPG as a glorious experiment that has run its course. The journalists who depend on it struggle with it and often mess up (“I send you the private key to communicate privately, right?”), the activists who use it do so relatively sparingly (“wait, this thing wants my finger print?”), and no other sane person is willing to use it by default. Even the projects that attempt to use it as a dependency struggle.

These are deep structural problems. GPG isn’t the thing that’s going to take us to ubiquitous end to end encryption, and if it were, it’d be kind of a shame to finally get there with 1990’s cryptography. If there’s any good news, it’s that GPG’s minimal install base means we aren’t locked in to this madness, and can start fresh with a different design philosophy. When we do, let’s use GPG as a warning for our new experiments, and remember that “innovation is saying ‘no’ to 1000 things.”

Any solution that isn’t easy to use and easy to understand is a poor solution. And GPG is neither.

Thursday, 26 February 2015