One can claim that the OTF sponsors encryption like Tor and Signal to help dissidents abroad. Maybe, but the list of organizations and people involved in the OTF are far from a glowing endorsement.
In that light, discouraging gpg and PGP makes me more eager to use gpg.
If having seed funding from the US military / government is a dealbreaker for your communication platforms, you should not be on the internet in the first place. Google “arpanet.”
GPG is hard in part because the problem it is solving is hard: allowing people to send private messages to strangers over an open system with diverse implementations designed many years ago without any regard to privacy.
It is also hard because it was released (as PGP) ~30 years ago when computers and available encryption algorithms significantly less powerful than they are today. Hence, there are more choices in the system than would be ideal.
In my experience it can be effective if adopted as the default for email with a group that works together daily (ish) and takes responsibility of standardizing on strong cipher and key size choices and distributing a trusted set of keys (regularly since some will always be expiring). This is a fair amount of work compared with “have email be clear text and selectively use Signal for extra sensitive things.” (And you’ll still want Signal anyway. Email is just the fallback.) But it relies much less on people figuring out what to put in the “sensitive” bucket.
Having 6 levels of trust (or was it 7?) must qualify as the worst UX decision of all time. People barely keep their contact lists up to date (in fact, nobody), let alone categorise them.
I had high hopes for Autocrypt, which solves much of PGPs terribad UX (maybe we should call it a porcelain?), but as the author and anyone has noted: simply nobody uses PGP. People barely use email anymore.
Social media, messengers such as Signal is where people communicate.
I gave up on gpg when I couldn't get my key signed at defcon multiple years in a row. If there's not interest in it at defcon, I don't know where else to go.
You cannot trust corporate "end-to-end" encryption, it often is marketing language without any basis in software.
So GPG (PGP) is the only current choice to be "reasonably secure". That means if you make no mistake and your counterparties make no mistakes, then you can communicate relatively safely about medium-sensitive things online.
Absolute security, however, requires a one time pad, and if you desire it you had better use a medium with a smaller attack surface [than the Internet].
> When I receive a GPG encrypted email from a stranger, though, I immediately get the feeling that I don’t want to read it. Sometimes I actually contemplate creating a filter for them so that they bypass my inbox entirely, but for now I sigh, unlock my key, start reading, and – with a faint glimmer of hope – am typically disappointed.
That's such weak take and a lame intro to an article. I immediately have now idea where the authors wants to take me from here. So if anyone knows, don't bother telling me as I already moved on from boredom.
https://en.wikipedia.org/wiki/Open_Technology_Fund
One can claim that the OTF sponsors encryption like Tor and Signal to help dissidents abroad. Maybe, but the list of organizations and people involved in the OTF are far from a glowing endorsement.
In that light, discouraging gpg and PGP makes me more eager to use gpg.