Of all the words we could've used to explain how to pronounce something
Glad I preserved a tweet that commented on a subheadline at The Verge from when the creator of the GIF died:
Subheadline from The Verge: "It's pronounced 'jif'"
Tweet: "I guess he's with jod now"
age -r $(go run filippo.io/torchwood/cmd/age-keylookup@main joe@example.com)Switched to
go install filippo.io/torchwood/cmd/age-keylookup@main
age -r $(age-keylookup alice@example.com)
But I was discussing it with some techies once and someone mentioned to me that it had less entropy (I think they mentioned 256 bits of entropy) whereas they wanted 512 bits of entropy which pgp supported
I can be wrong about what exactly they talked about since it was long time ago so pardon me if thats the case, but are there any "issues" that you know about in age?
Another thing regarding the transparent servers is that what really happens if the servers go down, do you have any thoughts of having fediverse-alike capabilities perhaps? And also are there any issues/limitations of the transparent keyserver that you wish to discuss
Also your work on age has been phenomenal so thank you for creating a tool like age!
> I can be wrong about what exactly they talked about since it was long time ago so pardon me if thats the case, but are there any "issues" that you know about in age?
Entropy bikeshedding is very popular for PGP / GnuPG enthusiasts, but it's silly.
age uses X25519, HKDF-SHA256, ChaCha20, and Poly1305. Soon it will also use ML-KEM-768 (post-quantum crypto!). This is all very secure crypto. If a quantum computer turns out to be infeasible to build on Earth, I predict none of these algorithms will be broken in our lifetime.
PGP supports RSA. That's enough reason to avoid it.
https://blog.trailofbits.com/2019/07/08/fuck-rsa/
If you want more reasons:
I hate to break the narrative but age also supports RSA, for SSH compat:
This transparency keyserver actually gives us an excellent opportunity to measure how many people use Curve25519 vs RSA, even with SSH support.
We should contrast this with actively valid public keys on a PGP keyserver in 2026 and see which uses modern crypto more. The results probably won't be surprising ;)
We've moved from "PGP supports RSA. That's enough reason to avoid it." to "We should contrast this with actively valid public keys on a PGP keyserver in 2026 and see which uses modern crypto more".
There was a theory floating around back in 2018 that the append-only nature of the SKS network makes it effectively illegal due to the GDPR "right to erasure" but nothing came of that and the SKS network is still alive:
1. The monitoring client does not ensure that the checkpoint was created recently, so a malicious log can conceal malicious entries from monitors by serving an old checkpoint.
2. Though the age keyserver policy is not configured this way, the post suggests you could create a policy that requires only a minority of witnesses (e.g. 3 of 10) to cosign a checkpoint. If you do this, then monitors have to get checkpoints that are cosigned by at least 8 of the 10 witnesses. Otherwise, a malicious log could present one view to relying parties that is cosigned by one set of witnesses, and a different view to monitors that is cosigned by a different set of witnesses. There is currently no mechanism specified for monitors to get these extra cosignatures, so if you go with a minority policy you'll need to invent your own stuff in order for witnessing to actually accomplish anything.
I'll add a note to the part of the article that mentions non-majority policies.
noident•1mo ago
xeonmc•1mo ago