Signal is not much of a PGP replacement. There's a lot that PGP can do that Signal can't: signing, encryption of large blobs at rest, and key management.
I use PGP as part of my backup solution, encrypting my backups at rest with an asymmetric key. I can't do that with Signal.
Signal does a better job of practically everything PGP does with regards to message encryption. Yes, PGP is more useful for encrypting files or signing updates. I agree that it's too early to write of PGP for those applications. But people should use Signal instead of PGP for message encryption.
> But people should use Signal instead of PGP for message encryption.
I won't disagree; when your usecase is in Signal's wheelhouse, by all means, use it.
But as someone who uses PGP regularly; the limit of how I could use Signal instead of PGP is limited to the occasional transfer of PII, passphrases, and private keys (something I couldn't use Signal for, since these are typically sent between GUI-less hosts). A very tiny fraction of my PGP usage.
"Signal does a better job of practically everything PGP does with regards to message encryption."
Except for endpoint security. The ultra-portable, self-contained implementations of PGP can run on countless configurations of desktop or embedded system. Transport methods also vary if they're funning messages or files through other apps. All sorts of hardening or isolation techniques can be applied. Remote attackers have a lot to look at trying to break or bypass GPG for an arbitrary user. Whereas, vast majority of Signal use relies on one app with two OS's.
The extra security tech and obfuscation you can layer on PGP/GPG is still an advantage in its favor until competition gets that.
> But people should use Signal instead of PGP for message encryption.
Signal the protocol or Signal the service? There does not appear to be a mature FOSS toolchain for the former that can replace gnupg and Thunderbird/Enigmail, and the latter is only available on Android and IOS smartphones.
Any chance you could elaborate on this? What about email is inimical to secret messages? Why are they less secret over email than through some other medium?
How would that work? Last I checked, Signal used Signal servers for key exchange (or whatever the equivalent in their lingo is). Is there any way to use Signal without relying on their servers?
