PGP is not security
What I find frustrating about these OpenPGP efforts is that they are largely futile. PGP is effective for hiding the content of email, but it’s not effective for normal communications.
I think the real Snowden revelation was just how important the metadata are. Who’s sending messages of what sizes to whom, when. OpenPGP does nothing to secure that. Snowden used PGP to hide the leak, but he used proxies and temporary email addresses to hide his identity as the leaker. And he only trusted that for a short time. To provide privacy, we need the metadata to be hidden for everyday email. We need a comprehensive replacement for SMTP email.
The biggest problem with encryption in SMTP is that it is bolted onto the protocol ad-hoc. Communicating with end-to-end encryption vs communicating with everything where the server can see it: The difference can be observed, decreasing security. Discussing whether to use SSL to communicate with the server: It can be disrupted, decreasing security. Even server-to-server communication is not entirely secure. We need to replace SMTP with a protocol that is actually designed for security.
I’m hoping that Darkmail works out. So, of course, now everybody is hopping onto the OpenPGP train. If I were more paranoid, I would wonder whether this were a conspiracy to keep metadata in the clear. Instead, I’m just hoping we can convince everybody to switch to actually secure email, after going through the pain of working with PGP.
Biting the hand that feeds IT
