Phil Zimmermann at the 2018 OpenPGP Summit

get rid of legacy

  • TLS 1.3 is huge improvement for TLS, got rid of legacy, i’d like to see the same things in OpenPGP
  • I am responsible for some of that legacy crap, i was young. CFB.
  • we should use most modern crypto. and only patent-free. (IDEA fail)
  • let’s get rid of old stuff.
  • Poly1305 is nice
  • don’t like GCM much


  • Post-Quantom-Algorithms. it’s in WireGuard. need to do the same thing in OpenPGP
  • It’s a lot more work. OpenPGP is a mess. lots of implementations. let’s improve it
  • I used to not believe in post-quanton a few years back. but when NSA started warning us that we should get ready, we should. If you don’t trust them, get ready. If you trust them, get ready.
  • we need it now. we can’t wait.
  • post-quantum keys can be huge, let’s not transport keys but fingerprints and download them from servers
  • some keys in the NIST competition from three months ago are obscenely large

use other channels for fingerprint verification

  • we do fingerprint verification, few other people do
  • ZRTP and Signal protocol in same client: Silent Phone
  • lack of network effect in OpenPGP world. we still only have a few million PGP users worldwide. WhatsApp has 1.5 billion. we’re doing something not right
  • DigiNotar catastrophe
  • PGP trust model is hard to explain to your mom or anyone really. we need to get past that
  • let’s leverage other protocols that have alread successfully leveraged network effect
  • imagine if PGP public fingerprints could be transferred through WhatsApp/Signal/Wire, then transfer it to PGP client
  • get larger number of users
  • merkle trees, certificate transparency - these take much longer


  • phil: bootstrapping PGP clients is even harder today, today most people are on mobile devices, these are locked down
  • phil: I don’t use PGP any more. GnuPG can’t import my private key. I can’t make it work. I’m protected from EFAIL by inability.
  • Werner: We can import post-quantum-keys at any time. We only need to change the spec to allow keys larger 64K.
  • Vincent: Not that easy. Want to use a combination of different keys.
  • Phil: post-quantum into the protocol sounds simple, but …
  • Phil: less post-quantum signature algorithms. and they sucks. we could procrastinate a few more years on signature algorithms
  • Vincent: Who is “you” working on it? Phil: I for KPN, C-U-Tel, Startpage.
  • Status? Phil: We need a clean, simple, limited protocol. Like TLS 1.3.