Dunno, IMO you need to know the bits of what operator is running to fully trust the third party, eg run in an enclave and share attestation evidence and the source code. Otherwise, operator can just mimic the appearance of the log.
No, the point of the Merkle tree inclusion proofs and of the witness cosignatures is precisely that the operator can't show a different view of the log to different parties.
I wonder if they think of a deeper integration of this into the age binary. Currently the invocation looks extremely ugly:
age -r $(go run filippo.io/torchwood/cmd/age-keylookup@main joe@example.com)I assume once it's stabilized you'd swap the `go run` for just installing and using a binary, similar to what you're already doing with age.
Honestly not sure why I didn't do that once the tool had stabilized.
Switched to
go install filippo.io/torchwood/cmd/age-keylookup@main
age -r $(age-keylookup alice@example.com)
Offtopic but I really appreciate golang and so I am always on the lookout of modern alternatives and I found age and I found it to be brilliant for what its worth
But I was discussing it with some techies once and someone mentioned to me that it had less entropy (I think they mentioned 256 bits of entropy) whereas they wanted 512 bits of entropy which pgp supported
I can be wrong about what exactly they talked about since it was long time ago so pardon me if thats the case, but are there any "issues" that you know about in age?
Another thing regarding the transparent servers is that what really happens if the servers go down, do you have any thoughts of having fediverse-alike capabilities perhaps? And also are there any issues/limitations of the transparent keyserver that you wish to discuss
Also your work on age has been phenomenal so thank you for creating a tool like age!
> But I was discussing it with some techies once and someone mentioned to me that it had less entropy (I think they mentioned 256 bits of entropy) whereas they wanted 512 bits of entropy which pgp supported
> I can be wrong about what exactly they talked about since it was long time ago so pardon me if thats the case, but are there any "issues" that you know about in age?
Entropy bikeshedding is very popular for PGP / GnuPG enthusiasts, but it's silly.
age uses X25519, HKDF-SHA256, ChaCha20, and Poly1305. Soon it will also use ML-KEM-768 (post-quantum crypto!). This is all very secure crypto. If a quantum computer turns out to be infeasible to build on Earth, I predict none of these algorithms will be broken in our lifetime.
PGP supports RSA. That's enough reason to avoid it.
https://blog.trailofbits.com/2019/07/08/fuck-rsa/
If you want more reasons:
> The author pronounces it [aɡe̞] with a hard g, like GIF, and is always spelled lowercase.
Of all the words we could've used to explain how to pronounce something
It's pronounced "aggie".
>:)
Filippo Valsorda discusses his server for storing age keys
At first glance I misread this as "stone age keys" and thought it was a dig at gpg
The good old SKS network achieves most or all of the advantages of key transparency in a simpler way by being append-only. An attacker could downgrade your PGP identity on one server but the rest would have the newest version you uploaded to the network.
There was a theory floating around back in 2018 that the append-only nature of the SKS network makes it effectively illegal due to the GDPR "right to erasure" but nothing came of that and the SKS network is still alive:
The SKS network is append-only in aspiration. There is nothing like a Merkle tree stopping a server in the pool (or a MitM) from serving a fake key to a client. The whole point of tlogs is holding systems like that accountable. Also, the section on VRFs of the article addresses precisely the user removal issue.