For some reason this isn't built into operating systems yet, so programs like pass use PGP. Original need: You want to store individual pieces of data without making their contents accessible to anyone else on your system. The Notary project is a productionized and audited implementation. For an idea of how it works in practice, check out the designs for Python's package infrastructure ( PEP 458, PEP 480). It's a modern toolkit meant to resist all kinds of update-related attacks that PGP signatures simply don't address. If you're a maintainer of self-serve packaging infrastructure or otherwise have more complex needs, you should take a look at TUF. Need I even mention that EdDSA is much, much faster than RSA? As a bonus they're mostly compatible with each other because the keys are all EdDSA keys. These tools are extremely simple and robust because they only support one algorithm, lack state or any notion of a keyring, and are usually decoupled from complex messaging formats (which should be a separate concern from your signature cryptography). I wrote one as a party trick last month – it's less than 200 lines of code and that includes some silly key parsing tricks. Modern alternative: a lightweight signing tool like OpenBSD's signify or minisign, either of which you could quickly build in Go using x/crypto/ed25519. Original need: Linux distributions and many other software update mechanisms use PGP signatures to prevent malicious mirrors or network attackers from altering the contents of their packages. Here are the most common uses of PGP and their modern, focused alternatives. The "modern alternative" is to use a much more specific and much less configurable solution to your problem. It's a do-everything design that predates modern cryptographic engineering and hasn't worked out well. The thing is, there can't be a direct modern alternative to PGP. I recently got into this again on a thread that mentioned deprecating Go's OpenPGP package and people always ask the same question: if not PGP, then what? But the most widespread uses of PGP are machine-oriented, for needs like package signing and local file encryption. No one was sending you encrypted emails anyway, so that's easy enough. Whatever it is, you're here, and you're finally ready to give up on PGP. Maybe you're just tired of living like a spy and never using smartphones. Did your last Yubikey just break? Perhaps you forgot an offline backup password.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |