Besides the fact that a signify/minisign are a raw key instead of being padded with identity information, in what way are they actually better?
Similarly, minisign makes no claims at identity at all. You get a random string, and the user is responsible for knowing which key is for what user. The minisign public key contains nothing but the key.
To me, that is a horrible user experience.
A PGP public key contains many bits of information besides just the key, and that is how this is even possible.
PGP tools are install nearly everywhere (except windows) by default, while minisign is an extra install.
PGP is bloated and complex, trying to be the Swiss Army Chainsaw of encryption and verification. It lacks modern features of encryption tools such as channel binding (which opens whole categories of exploits) and perfect forward secrecy (instead preferring to use long-lived keys, which are a nightmare of their own).
PGP also allows a host of insecure options without mandating secure ones: while it does offer good algos and distribution mechanisms (e.g. WKD), it also offers poor/deprecated algos and disasters like keyserver pools.
As for Signify: Minisign supports trusted and untrusted comments in signatures to supply metadata.
Some distributions like OpenBSD and Void Linux have finally upgraded their package signing from PGP to Signify; Debian is in the process of migrating from PGP to Ed25519 sigs (https://wiki.debian.org/Teams/Apt/Spec/AptSign). If we manage to switch enough distros off PGP, maybe we can remove the need to have PGP installed by default.
Not in any relative sense. The commonly used Signal protocol for example is much more complex and is only applicable to one narrow category of application. In the Keyoxide case we are only doing signing so that is the only part of the OpenPGP standard that would be applicable.
>...channel binding...
Could you expand on how that might relate to PGP applications?
>...perfect forward secrecy...
... is not relevant for the protection of things like files. Even for messaging it is rarely of any value as users like to keep their old messages around.
OpenBSD needed something compatible with the license of the base distribution. The mistake made was that signify was not made to use a preexisting format. So it is an attempt to create a whole new standard in a way that provides no benefit to anyone.
> In the Keyoxide case we are only doing signing so that is the only part of the OpenPGP standard that would be applicable.
The problem is that PGP does a lot of stuff besides signing too; this is bad design, and is one in a long list of issues with PGP. Its network effect extends to areas where issues like the lack of channel binding and PFS are relevant (e.g. communication platforms): people use the "it's already installed (for something else)" argument far too often to justify using it for something it isn't suited for (most other things).
> OpenBSD needed something compatible with the license of the base distribution. The mistake made was that signify was not made to use a preexisting format. So it is an attempt to create a whole new standard in a way that provides no benefit to anyone.
Signify's standard is dead simple, and already has several implementations. The friction involved in adopting it is low enough for this to be a minor concern. The benefit is that it helps us move away from complex dependencies like GPG and towards simple ones like minisign/signify that only do what's necessary.
> PGP is bloated and complex, trying to be the Swiss Army Chainsaw of encryption and verification. It lacks modern features of encryption tools such as channel binding (which opens whole categories of exploits) and perfect forward secrecy (instead preferring to use long-lived keys, which are a nightmare of their own).
Strong identity and long lived keys are a requirement. Perfect forward secrecy does not make sense in a world were I want to prove that all things signed by me are in fact signed by me. If I generated a new key, how do I distribute that key to someone else in a way they can trust that key? And if you have that secure channel working and trust worthy, why do you even need to sign anything?
Even in the case of debian apt signing changes, all the key signing happens in the public view, there is nothing secret about it.
Perfect forward secrecy is only for encryption and does not make sense in the case of signatures, but even in the case of encryption (age) you have a similar key distribution problem. If you are constantly making ephemeral keys that's great, but it also means you need the receiver to make a new key on every file the sender wants to send. This means people will still have long lived keys, and perfect forward secrecy does not apply.
Lastly, in most async communication, like email, PFS is very difficult because you don't have channels that can easily negotiate channels. There is autocrypt which gets pretty far, but has it's own troubles. For any real time communication, TLS and Olm are the way to go. But at this point we are very very far away from minsign which.
> PGP also allows a host of insecure options without mandating secure ones: while it does offer good algos and distribution mechanisms (e.g. WKD), it also offers poor/deprecated algos and disasters like keyserver pools.
PGP has been around for a long long time. None of the options were insecure when they were implemented. Minsign and age have decided that their tools will only have 1 algo, the correct and most secure one. However that can change in just a few years. At which point it will either become more like PGP or we will have to migrate everyone to the new best tool. This is madness.
A PGP implementation that was more aggressive at deprecating weak methods is far better than this new pointy tools.
> As for Signify: Minisign supports trusted and untrusted comments in signatures to supply metadata.
As you say this data is untrusted and unsigned. Having it proves nothing about the ownership of the private key.
> Some distributions like OpenBSD and Void Linux have finally upgraded their package signing from PGP to Signify; Debian is in the process of migrating from PGP to Ed25519 sigs (https://wiki.debian.org/Teams/Apt/Spec/AptSign). If we manage to switch enough distros off PGP, maybe we can remove the need to have PGP installed by default.
I have read their reasoning on this several, and I firmly believe this is a huge mistake. Or at the very least a lot of work that provides no actual value. However the keys here are distributed by packages, so there is already a TOFU when you install the system. In the end there is not actual end user impact here, besides making it much more difficult to know if the signature of a package is valid manually.
> Strong identity and long lived keys are a requirement. Perfect forward secrecy does not make sense in a world were I want to prove that all things signed by me are in fact signed by me. If I generated a new key, how do I distribute that key to someone else in a way they can trust that key? And if you have that secure channel working and trust worthy, why do you even need to sign anything?
A communication platform should handle this for you. Every modern E2EE platform offers out-of-band verification. The problem with PGP is it's used as a "go-to" encryption and verification tool for other situations where PFS is necessary (e.g. communication) due to its network effect ("it's already installed"). Minisign/Signify, in comparison, are used just for verification; they are a better fit for this because they don't try to be anything else.
> but even in the case of encryption (age) you have a similar key distribution problem. If you are constantly making ephemeral keys that's great, but it also means you need the receiver to make a new key on every file the sender wants to send. This means people will still have long lived keys, and perfect forward secrecy does not apply.
Age is for file encryption. An E2EE communication protocol/platform should have provisions to automate this process.
> PGP has been around for a long long time. None of the options were insecure when they were implemented. Minsign and age have decided that their tools will only have 1 algo, the correct and most secure one. However that can change in just a few years. At which point it will either become more like PGP or we will have to migrate everyone to the new best tool. This is madness.
It is better to have new versions of a standard than to extend a standard to include all possibilities. The equivalent would be making all TLS and SSL versions just extensions of the original SSL standard; a client talking to a server would negotiate between a plethora of secure and insecure cipher suites.
Age uses 256-bit AES keys and the HKDF; Signify uses Ed25519 signatures. If these are found to be insecure in the coming decades, the solution would be to release a spec for Age 2 or Signify 2 instead of just adding an option to use a different combination of algos/curves/KDFs.
> As you say this data is untrusted and unsigned. Having it proves nothing about the ownership of the private key.
No, I didn't say that. I said that it supports both trusted and untrusted comments. Trusted comments are signed.
> In the end there is not actual end user impact here, besides making it much more difficult to know if the signature of a package is valid manually.
Given a source, sig, and pubkey, verification can be done with the following command:
This isn't any harder than using GPG unless you're using the "it's already installed" argument, which kinda proves my point about the network effects exacerbated by having a "do-it-all" tool instead of a "do-one-thing" tool. Minisign dogfoods this to sign its releases, and you can see Fedora's RPM spec use it quite easily to verify its tarball:
> It is better to have new versions of a standard than to extend a standard to include all possibilities. The equivalent would be making all TLS and SSL versions just extensions of the original SSL standard; a client talking to a server would negotiate between a plethora of secure and insecure cipher suites.
> Age uses 256-bit AES keys and the HKDF; Signify uses Ed25519 signatures. If these are found to be insecure in the coming decades, the solution would be to release a spec for Age 2 or Signify 2 instead of just adding an option to use a different combination of algos/curves/KDFs.
I hope you realize this doesn't make sense. Would minsign2 be able to read minsign1? For an end user, they will need to know even more out of band information about the signature they want to verify.
The extremely poor ergonomics of minsign are my problem with it. It doesn't have solutions for many problems, and it's users flat out hand wave future problems.
> I hope you realize this doesn't make sense. Would minsign2 be able to read minsign1? For an end user, they will need to know even more out of band information about the signature they want to verify.
"Signify 2" would be a specification, not a program. A future Age or Signify implementation would be able to handle multiple versions of their specs without mixing their components together just as easily as:
- A TLS/SSL program (OpenSSL, LibreSSL, bssl, etc) can work with TLS 1.2 and 1.3.
- libcurl can handle HTTP/1.0, HTTP/1.1, and HTTP/2.0
Say Age 2 uses, I don't know, "AES-512" (I pulled that out of my ass for illustrative purposes, don't tell anyone) and Argon2id instead of AES-256 and the HKDF. Your choices would be Age 1 or Age 2; you wouldn't be able to use both AES-512 and the HKDF, or AES-256 and Argon2id. There would be fewer combinations to keep track of, making it easier for other implementations to support less as insecure standards get phased out (c.f. TLS 1.0, 1.1). Insecure standards will still be around and be relatively simple to implement for anyone interested (especially for Signify, whose spec is so basic).
This is how versioned specs are supposed to work, with iteration rather than extension. The command I demonstrated wouldn't have to change.
If Age followed the PGP approach, a future version would support choosing either AES-256 or AES-512, and either the HKDF or Argon2id. You'd mix-and-match, and write all the metadata into the file. It'd be much harder to move away from bad standards. Instead, right now, Age just writes the version of the Age spec being used; that implies the rest.
Nah troll baiting is saying "PGP tools are installed nearly everywhere (except windows) by default" when windows still has almost 80% market share on PCs. Most of the rest are on macos. If you want something to be useful that relies on network effects then they, and mobile users are who you need to accommodate. Linux on the desktop users are a rounding error.
Besides the fact that a signify/minisign are a raw key instead of being padded with identity information, in what way are they actually better?
Similarly, minisign makes no claims at identity at all. You get a random string, and the user is responsible for knowing which key is for what user. The minisign public key contains nothing but the key.
To me, that is a horrible user experience.
A PGP public key contains many bits of information besides just the key, and that is how this is even possible.
PGP tools are install nearly everywhere (except windows) by default, while minisign is an extra install.
PGP's web-key-directory is making knowing the right for a user trivial and tamper resistant. IE: https://keyoxide.org/wkd/george%40shamm.as
It's hard for me to see any benefits of minisign really besides key size. Calling it "superior in every way." is straight troll bait.