PGP and the trouble with the web of trust


I have been a fan of Pretty Good Privacy and Gnu Privacy Guard for years. It was just a great idea and I would love to see it more widely used. One problem PGP has always had is the learning curve and ease of use. It used to be very difficult to integrate it into your email. Today it is easier to use with plugins for Thunderbird and other mail apps.

One of the greatest weaknesses of PGP from way back in the day until today is key exchange and how to know you have a valid key for someone you are trying to contact. We have key servers where you can search for a key for someone’s email address, but again you have the issue of how do you know that the person you are contacting actually posted that key and it isn’t an adversary who is pretending to be that user. Back in the day there used to be discussions of key signing parties and other things that just didn’t seem practical. I think my PGP key has been signed by 1 user. Then along comes Keybase. This seems to solve the big issue with PGP which is how to find a key for someone and how to know you can trust that key. Now if someone follows me on Twitter and this website they can see that Keybase has validated my PGP key against ownership of this domain and my twitter account among other things finally solving the issue.

Now we finally have better tools for PGP, and the world has moved on to web mail which makes it much more difficult to encrypt end to end again. Anyway if Keybase sounds interesting to you, you can find me here. If anyone wants an invite to it send me a request for an invite on twitter.

,