Op-ed: I’m throwing in the towel on PGP, and I work in security

Enlarge (credit: Christiaan Colen)

Filippo Valsorda is an engineer on the Cloudflare Cryptography team, where he’s deploying and helping design TLS 1.3, the next revision of the protocol implementing HTTPS. He also created a Heartbleed testing site in 2014. This post originally appeared on his blog and is re-printed with his permission.

After years of wrestling with GnuPG with varying levels of enthusiasm, I came to the conclusion that it’s just not worth it, and I’m giving up—at least on the concept of long-term PGP keys. This editorial is not about the gpg tool itself, or about tools at all. Many others have already written about that. It’s about the long-term PGP key model—be it secured by Web of Trust, fingerprints or Trust on First Use—and how it failed me.

Trust me when I say that I tried. I went through all the setups. I used Enigmail. I had offline master keys on a dedicated Raspberry Pi with short-lived subkeys. I wrote custom tools to make handwritten paper backups of offline keys (which I’ll publish sooner or later). I had YubiKeys. Multiple. I spent days designing my public PGP policy.

Read 29 remaining paragraphs | Comments