new | ask | show | jobs
some_furry 3 days ago  [ - ]

> But I was discussing it with some techies once and someone mentioned to me that it had less entropy (I think they mentioned 256 bits of entropy) whereas they wanted 512 bits of entropy which pgp supported

> I can be wrong about what exactly they talked about since it was long time ago so pardon me if thats the case, but are there any "issues" that you know about in age?

Entropy bikeshedding is very popular for PGP / GnuPG enthusiasts, but it's silly.

age uses X25519, HKDF-SHA256, ChaCha20, and Poly1305. Soon it will also use ML-KEM-768 (post-quantum crypto!). This is all very secure crypto. If a quantum computer turns out to be infeasible to build on Earth, I predict none of these algorithms will be broken in our lifetime.

PGP supports RSA. That's enough reason to avoid it.

https://blog.trailofbits.com/2019/07/08/fuck-rsa/

If you want more reasons:

https://www.latacora.com/blog/2019/07/16/the-pgp-problem/

Thom2000 3 days ago  [ - ]

> PGP supports RSA. That's enough reason to avoid it.

I hate to break the narrative but age also supports RSA, for SSH compat:

https://man.archlinux.org/man/age.1#SSH_keys

some_furry 3 days ago  [ - ]

That's only because SSH supports RSA. Mainstream usage of age with age public keys only supports X25519.

akerl_ 3 days ago  [ - ]

Eh. You don't really get to do this sleight of hand. If you're gonna rag on RSA support as a shibboleth for bad design, it's bad for GPG and bad for age. If it's direct evidence of bad design, age shouldn't have permitted it via their SSH key support.

some_furry 3 days ago  [ - ]

I agree in principle, but I'm not looking at "what SSH dragged in". I'm looking at age as a pure isolated thing, according to the spec: https://github.com/C2SP/C2SP/blob/main/age.md

This transparency keyserver actually gives us an excellent opportunity to measure how many people use Curve25519 vs RSA, even with SSH support.

We should contrast this with actively valid public keys on a PGP keyserver in 2026 and see which uses modern crypto more. The results probably won't be surprising ;)

akerl_ 3 days ago  [ - ]

Those goalposts are really agile.

We've moved from "PGP supports RSA. That's enough reason to avoid it." to "We should contrast this with actively valid public keys on a PGP keyserver in 2026 and see which uses modern crypto more".

some_furry 2 days ago  [ - ]

We aren't having the same discussion in both places, so no, it's not a fucking goalpost.