-- Leo's gemini proxy

-- Connecting to idiomdrottning.org:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini; lang=en

Age for email


I’ve had a couple of different people ask to use age for email, and Emacs can handle that just fine, so I’ve acquiesced. I haven’t settled on a permanent key yet but here is one I’ve been using:


public key: age1p0r26arafja3ehq4kn5mrsh5fjw5mnp6jnde35hs4yq3z9l7tuyqcmjtmu

However, PGP has better tooling for automatic encryption and for key exchange (WKD and Autocrypt). It’s just something the email ecosystem has better adapted to.


Another thing that really sucks about age compared to PGP is that if I encrypt and send something to someone, I can’t then read it myself. If I wanna remember what the heck I’m even writing, I need to save a copy first.


For email, age has all the same drawbacks of PGP:


Susceptibility to MITM

No forward secrecy (worse, since there are some hacky efforts to get some semblance of forward secrecy in some PGP setups)

Same encryption algorithms (like RSA and the quantum-fragile ed25519)

Leaks metadata (sender, recipient & subject)


Age is a good tool for encrypting your backups and your own secret local text files, especially compared to a specific version of PGP called GPG:


Easier to use than GPG

Less liable to include deprecated and crusty old algorithms

(This next one one only applies to super old versions of GPG since it now also has it, but) Authenticated encryptions


Those drawbacks aren’t universal to all PGP implementations, though.


I don’t think it’s worthwhile to use for email.


I prefer PGP. Here is my key.


PGP is probably not the be-all, end-all either. I love email, I want email as a protocol to last forever, it’s the only platform that has managed to be fully federated with a world-writable inbox and a robust set of spam-fighting tools, and with SSL, DKIM, DMARC it has seen great strides, and if email can get better e2ee than PGP that’d be something I’d love; age isn’t it.


The age devs don’t wanna use age for email either, not because it can’t be done (as they point out in their thread, there’s an -a option to make it work) but because they are opposed to email security.🤦🏻‍♀️


> Out of scope: Anything about emails (which are a fundamentally unsecurable medium)


Not really into the idea that we shouldn’t harm reduce email, that we should just give up on it etc. That’s not what I want.


GitHub - FiloSottile/age

Emacs Basics

GPG WKD

Why it’s OK that PGP sucks

Can age encrypt email messages instead of just files?

-- Response ended

-- Page fetched on Fri May 17 12:10:35 2024