I have no issues with it, and actually happy to see alternative implementations. Possibly because I did not use it much, but it does look fine to me. Not as a complete GPG replacement yet, since some software still depends on GPG, but a viable one, and a suitable one for most of the manual CLI usage (ignoring that its version on slightly older systems has a different interface, adding a bit of confusion; hopefully it is stable now). It was not listed among suggested alternatives in the linked article though, and from what I gather, the author would not be happy with it, either.

▲

tptacek 3 days ago | parent [-]

Since you mentioned me: what's the point? It would be one thing if you could (1) use Sequoia, (2) be assured of modern cryptography, and (3) maintain compatibility with the majority of the installed base of PGP users. But you can't. That being the case, why put up with all the PGP problems that Sequoia can't address? You're losing compatibility either way, so use an actually-good cryptosystem.

▲

defanor 3 days ago | parent [-]

(Sorry for the relatively long post; it so happened in an attempt to explain my point of view in more detail. I think variations of that do come up in such discussions, but staying unnoticed or dismissed; maybe this one will succeed.)

Probably because of my limited usage of Sequoia, but it seemed compatible enough with GnuPG (when it comes to OpenPGP, that is; not their CLIs or APIs): not completely, but enough in practice. The cryptography also looks modern enough to me: it is not like even GnuPG defaults to compatibility with particularly old systems.

If they were notably incompatible though, I guess I would prefer GnuPG for the availability and compatibility reasons, as mentioned above, mainly to avoid fragmentation. Though if there was a better system, as versatile, preferably as easily available, even if not as widely used, I would consider that as well.

Apparently the threat models we have in mind, along with the settings to use those tools in, differ: as mentioned in the sibling comments, my concerns (or past concerns, current issues to deal with) are more about availability, confidentiality in the face of mass surveillance and over varied channels (i.e., versatility). I see (and hear of) people neglecting cryptography altogether in cases where cryptography would be beneficial (for confidentiality, most often), the local government and other threat actors focusing on heavy-handed and basic attacks (aiming to disrupt use of cryptography, such as by blocking the IMs they do not control and other online services, or--perhaps even more often--making use of it not being used at all in the first place); so I struggle to see how, say, age + minisign would have helped anyone over GnuPG in such conditions, or even those rare few who are targeted individually. But I find it much easier to see how a wider adoption of any sufficiently good, versatile, available, and standardized/compatible tools would be useful. So that people would be able to communicate securely using those, as well as the same person would be able to easily decrypt a file they had encrypted years ago without keeping around a toolbox of varied--and likely partially abandoned--tools, which, taken together, would likely be a worse legacy pile of software and algorithms than OpenPGP and its implementations, moving the specification with its different legacy options into users' heads (and replacing the implementation with their manual operations).

Of course everyone having and properly using a set of most polished and foolproof tools implementing algorithms considered most secure (out of practical ones) at the time would be good, but there are issues with adoption, software acquisition and updates, interference (i.e., adverse conditions, including blocking), key distribution, as well as the moving target (changing recommendations/views) to take into account. The algorithms, implementations, and UIs are not to be ignored, but neither are they everything there is, so one has to prioritize all the components.

	▲	tptacek 3 days ago \| parent [-]
		The issue is that the modern cryptographic stuff Sequoia does isn't compatible with installed GnuPG. You can use Sequoia compatibly, but by doing so you're surrendering their cryptographic improvements.