I am no cheering fan, for sure, but I think it's disingenuous to say PGP is one of the least important systems on the internet. Debian package distribution, notably, depends rather pivotally on PGP to ensure authenticity. Keybase uses PGP as it's root trust mechanism. There are plenty of email services that use PGP to secure messages. I've even come across some recent (as in the last few years) startups using PGP to implement their internal or application-level trust relationships (run by quite sane and well adjusted individuals nonetheless). I worked at a Unicorn in the last 10 years that implemented secret storage and distribution using GPG tooling. In fact, recently and close to home for me, we implemented some application level key exchanges and the security person we consulted with for a 2nd set of eyes actually said (paraphrasing), "I don't like this thing it's custom but if you use ElGamal I'd be more comfortable because at least it's well understood."
Of course these are all things that can and probably should be replaced by something more palatable. So why haven't they?
If it's not obvious, my argument is neither for nor against PGP, really. It's that I'm tired of hearing about how much PGP sucks without also hearing about the solution. I think the burden is on the people wishing to eradicate it to muster up the blesséd alternative and shepherd it into the vernacular.
It is one thing to make a case for the continued maintenance of PGP, or even to say that it has a place in modern cryptography (that's an outré thing to say among cryptography engineers, but, whatever).
It's another thing entirely to say that any cryptography engineer critical of PGP must have a weird personal vendetta against it, as you did upthread.
Harsh criticism of the failings of PGP is practically an orthodoxy among cryptography engineers. It is not a good design by modern standards, and lots of cryptographers would dearly love to be rid of it. Push back on them because you don't think it's worth the time for Debian to switch to minisign, fine, but don't slander people while you're doing it.
I didn't say "that any cryptography engineer critical of PGP must have a weird personal vendetta against it". I know the history and context around the matter. I know Filo has actually tried to do the work to replace PGP. I know it didn't stick. I imagine he more than many people understands how difficult the task of replacing it is. But in my opinion that should lead to a more tempered stance that represents an understanding of this subtlety. Instead we see him on team deprecate PGP software because it's not what We want golang users using. Excuse me if I attribute a small ounce of personal pride to that stance. I could be wrong. This is a discussion thread not a formal essay. I respect many things about Filo. I'm just critical of this particular crusade.
I mean yeah, you're right. PGP has been culturally deprecated for years now. There's no skirting that. I am quite happy that Debian is switching to minisign. Once that transition is complete that will be one less reason to keep PGP around. Really, I have absolutely zero allegiance to PGP. I'm just willing to admit that it works (and quite well) despite all the shortcomings that cryptography engineers love to spar with during happy hours. I sincerely do not disparage efforts to replace PGP. I am just tired of the passé mantra that PGP sux amirite or gtfo. As we both clearly understand, it's not really that simple.
Of course these are all things that can and probably should be replaced by something more palatable. So why haven't they?
If it's not obvious, my argument is neither for nor against PGP, really. It's that I'm tired of hearing about how much PGP sucks without also hearing about the solution. I think the burden is on the people wishing to eradicate it to muster up the blesséd alternative and shepherd it into the vernacular.