PGP is an alright protocol but I cannot recommend gpg for daily use by non-technical users. They make it extremely difficult to use long-term and simple issues like gpg-agent running as a background process become controversies where they could have just made it optional.
Honestly,I think it's an alright piece of software but the project became the way it is as a result of the massive gnupg adoption in the *nix world and lack of competition.
If it isn't cross-platform and user friendly,it shouldn't be used by the average citizen. As much as the cryptonerd in me likes this news,Gnupg as it is shouldn't be used for official matters. Most lawyers and judges would struggle to use it.
So I get the impression GnuPG is considered obsolete by the security community. I'm unclear for which of the many possible scenarios it can be used for.
Is there, right now, a better (security-wise and usability-wise) way to digitally authenticate a message (document/binary/payload)?
This sounds huge. There's entire businesses centered around very specific state laws like this (cf. notarize.com).
I hope this spreads. As long as notarization remains important, digital notarization is important.
I've used both GNPG and Estonian eID. I have to say Estonian eID is way more usable when one needs to sign anything. The (digidoc4) software is just way more usable, nicer and designed for the task. I wish GNUPG were as good
Docusign has been allowed to be used a notary in Washington; or at least Seattle for notary requirements around housing documents.
(Seattle law requires notarization on leases over 12 months).
There's a PGP short ID listed on the e-signed document, but it's not yours. There is no point where Docusign checks your ID.
This is extremely cool, but I wonder in practice whether people in Washington who accept notarized documents/etc would know this is a valid way of doing things? Education seems important here.
Notarizing documents sounds like it could actually benefit from blockchain technology.
Have a set of Established Authorities who can grant notary status. They give notary status to people according to their own set of requirements.
The notaries can then add a record on the block chain saying roughly "I do notarization act X on document Y" (It'll be the equivalent of what they enter in their log books today and there will be some corresponding stamp that they'll stamp the physical document with, like they do today). They could now even notarize digital documents by including a hash of the digitized document in their record.
Finally, the agency receiving the notarized document (digital or electronic) can easily go onto the blockchain and verify that the document was indeed notarized as claimed and that the notarization is not a forgery.
Each agency that receives the notarized document could have their own subset of Established Authorities who's notaries they will accept. This means anyone could become an Established Authority, but individual agencies like the US Federal Government could publicly say "hey, our Authority Id is 'USRoxs'" but it'll be up to the receiving agencies like England's government to decide "We trust the system the US uses to validate it's notiaries, so we'll add 'USRoxs' to our list of accepted Established Authorities (along with 'TheEnglish' of course)"
Matthew Green had a good post on what is wrong with PGP:
https://blog.cryptographyengineering.com/2014/08/13/whats-ma...
In theory, FedEx overnight envelopes, their most lucrative business, just died in Washington state. Am I right?
This is great progress for other locations as well!
That's pretty cool, bro.
tldr; do i still need to pay a notary or can i self attest using a gpg key tied to my email address?
I like it.
All it needs now is a solid blockchain. Vechain could be one perhaps.
Incidentally, I've been working with digital signatures which are legally equivalent to traditional ones in my country (Poland) and comparing them to a GnuPG setup with private keys stored on a YubiKey.
It seems to me that my YubiKey setup (done following https://github.com/drduh/YubiKey-Guide) is substantially better in almost every respect than the state-provided smartcard.
I intend to publish a signed PDF document (signed with the state-certified RSA key) that says that my GnuPG keys are really mine.