Op-ed: I’m throwing in the towel on PGP, and I work in security

After years of wrestling with GnuPG with varying levels of enthusiasm, I came to the conclusion that it's just not worth it, and I'm giving up—at least on the concept of long-term PGP keys. This editorial is not about the gpg tool itself, or about tools at all. Many others have already written about that. It's about the long-term PGP key model—be it secured by Web of Trust, fingerprints or Trust on First Use—and how it failed me.

Trust me when I say that I tried. I went through all the setups. I used Enigmail. I had offline master keys on a dedicated Raspberry Pi with short-lived subkeys. I wrote custom tools to make handwritten paper backups of offline keys (which I'll publish sooner or later). I had YubiKeys. Multiple. I spent days designing my public PGP policy.

I traveled two hours by train to meet the closest Biglumber user in Italy to get my first signature in the strong set. I have a signature from the most connected key in the set. I went to key-signing parties in multiple continents. I organized a couple.

I have the arrogance of saying that I understand PGP. In 2013 I was dissecting the packet format to brute force short IDs. I devised complex silly systems to make device subkeys tie to both my personal and company master keys. I filed usability and security issues in GnuPG and its various distributions.

All in all, I should be the perfect user for PGP: competent, enthusiast, embedded in a similar community. But it just didn't work.

First, there's the adoption issue others talked about extensively. I get, at most, two encrypted e-mails a year.

Then, there's the UX problem: easy crippling mistakes; messy keyserver listings from years ago; "I can't read this e-mail on my phone" or "on the laptop;" "I left the keys I never use on the other machine."

But the real issues, I realized, are more subtle. I never felt confident in the security of my long-term keys. The more time passed, the more I would feel uneasy about any specific key. Yubikeys would get exposed to hotel rooms. Offline keys would sit in a far away drawer or safe. Vulnerabilities would be announced. USB devices would get plugged in.

A long-term key is as secure as the minimum common denominator of your security practices over its lifetime. It's the weak link.

Worse, long-term key patterns, like collecting signatures and printing fingerprints on business cards, discourage practices that would otherwise be obvious hygiene: rotating keys often, having different keys for different devices, compartmentalization. Such practices actually encourage expanding the attack surface by making backups of the key.

We talk about Pets vs. Cattle in infrastructure; those concepts would apply just as well to keys! If I suspect I'm compromised, I want to be able to toss the laptop and rebootstrap with minimum overhead. The worst outcome possible for a scheme is making the user stick with a key that has a suspicion of compromise, because the cost of rotating would be too high.

And all this for what gain?

"Well, of course, long-term trust."

Yeah, about that. I never, ever, ever successfully used the WoT to validate a public key. And remember, I have a well-linked key. I haven't done a formal study, but I'm almost positive that everyone that used PGP to contact me has, or would have done (if asked), one of the following:

• pulled the best-looking key from a keyserver, most likely not even over TLS
• used a different key if replied with "this is my new key"
• re-sent the e-mail unencrypted if provided an excuse like "I'm traveling"

Travel in particular is hostile to long-term keys, making this kind of fresh start impractical.

Moreover, I'm not even sure there's an attacker that long-term keys make sense against. Your average adversary probably can't MitM Twitter DMs (which means you can use them to exchange fingerprints opportunistically, while still protecting your privacy). The Mossad will do Mossad things to your machine, whatever key you use.

Finally, these days I think I care much more about forward secrecy, deniability, and ephemerality than I do about ironclad trust. Are you sure you can protect that long-term key forever? Because when an attacker decides to target you and succeeds, they won't have access just from that point forward; they'll have access to all your past communications, too. And that's ever more relevant.