Finally, Debian has ditched OpenPGP for repository signing in favor of Ed25519 with SHA512. This is a step ahead for privacy and security. You can see the article here.

As @anon123@lemmy.ml pointed out, the following issues about PGP are not specifically related to Debian article I linked.

  • No authenticated encryption.
  • Receiving a signed message means nothing about who sent it to you
  • Usability issues with GnuPG
  • Discoverability of public keys issue.
  • Bad integration with emails.
  • No forward secrecy.

There’s usuful documentation about it:

  • @Lunacy@lemmy.mlOP
    13 years ago

    Because Protonmail sucks. It works fine in Thunderbird.

    Even if protonMail sucks, email will always leaks meatada.

    When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email, including; To, From, Cc, Date, Subject.

    Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally and is also optional, therefore, only the message content is protected.

    When emails travel between email providers an encrypted connection is negotiated using Opportunistic TLS. This protects the metadata from outside observers, but as it is not E2EE, server administrators can snoop on the metadata of an email.

    Source

    With a lot of drawbacks (using it with multiple devices sucks) for too little gain and you can’t use it in non-interactive protocols such as OpenPGP. Or rather, you can if you do it manually, but it requires interaction.

    Acutally, forward secrecy it’s very useful.

    OpenPGP also does not support Forward secrecy, which means if either your or the recipient’s private key is ever stolen, all previous messages encrypted with it will be exposed. How do I protect my private keys?

    Source