Score:2

Crypto

Why do people use protocols like PGP, when TLS already exists?

Agniva Chaudhuri

3/18/23, 12:31 AM

TLS is the standard cryptography protocol on the internet, and many websites use it to secure their communications. However, for personal use, most people use other protocols like PGP, instead of using TLS keys/certificates.

There doesn't seem to be any reason to not use TLS for these things, or at least the encryption/signing part. The transport part of TLS isn't always needed, since people have differing needs.

So why do people use PGP (and other protocols/tools like age/signify) rather than using TLS keys directly? Is there any technical reason why they don't do that?

153

0 + 0

tls

protocol-design

pgp

kelalaka

3/18/23, 12:49 AM

From infosec; [What real world benefits does PGP have over sending email with SSL/TLS such as with HTTPS?](https://security.stackexchange.com/q/74728/86735) Lots of details are on the comments, too.

Agniva Chaudhuri

3/18/23, 1:55 AM

@kelalaka That page doesn't resolve it. I'm asking about end-to-end encryption with TLS keys using the TLS protocol where applicable, not a system where an outside party can still see the cleartext communications. Also, a bunch of the stuff mentioned in that page involves extensions to the TLS protocol/specific implementations; for example, I don't see why someone can't just disable falling back to SSL if TLS is unsupported.

dave_thompson_085

3/18/23, 2:04 AM

A good deal of PGP (especially GPG) usage, and probably all of signify, is for **software distribution**, which I don't call personal. TLS servers sufficient to provide gigabyte downloads to many millions or billions of users can only be afforded by the giant monopolies, but other authors want to use and share lots of different servers (mirrors) to provide parallel, distributed downloads cheaply and effectively, while users want to know their download wasn't altered by a mirror. TLS can't do that. Plus some systems don't have network access at all and need data on disks; again no TLS.

dave_thompson_085

3/18/23, 2:06 AM

To clarify, you can't do TLS without the 'transport part'; TLS is an interactive protocol and cannot work without real-time, bidirectional communication.

Agniva Chaudhuri

3/18/23, 2:36 AM

@dave_thompson_085 is it possible to take out the encryption/signing part, and use that like PGP?

Swashbuckler

3/18/23, 3:14 AM

TLS is designed for two parties that are actively communicating with one another. PGP is designed for one party to encrypt data and then other parties to decrypt that data at some unknown point in the future. Different problems not surprisingly resulting in different solutions.

Maarten Bodewes

3/18/23, 9:34 AM

Actually, you can use PGP for in-place encryption as well, or encrypt for multiple parties at the same time. It also depends on a different PKI (for which there are some issues, but PKIX certainly has its own problems).

Agniva Chaudhuri

3/19/23, 1:39 PM

Actually now that I think of it, it makes sense that TLS isn't used for this. TLS involves combining one party's public key and the other's private key for both parties, something that shouldn't need to be done for PGP-esque use.

Score:6

Crypto

bk2204

3/19/23, 1:36 AM

These are different protocols and they serve different purposes.

TLS is an online protocol between two different parties. It's designed to ensure the security of a connection between two endpoints of a connection. The connection is ephemeral and both parties must be online at the same moment with sufficient bandwidth.

OpenPGP is an offline protocol. It can be used to encrypt data between two parties who may never be online at the same time. More commonly, it is used to sign data for software distribution (or other uses) by one party which is then received by other parties and verified at a later time.

If you want to use the X.509 keys and certificates that are used for TLS, you can use CMS, which is also an offline protocol. It is substantially less popular in the open source community because typically the certificates required have a shorter timeframe and they often cost money, leading to decreased adoption.

In many cases, the answer is that both are a good idea. Generally, you should serve all HTTP connections over TLS these days, and if you are distributing software, you probably will want to use some sort of digital signature to verify its integrity. TLS is important to prevent revealing the data that is transferred in case it is sensitive (for legal reasons or otherwise) and a digital signature (e.g., via OpenPGP) means that an attacker who can compromise the storage of the remote server cannot distribute modified software, provided the key is stored elsewhere.

0 + 0

dave_thompson_085

3/19/23, 5:42 AM

CMS/PKCS7 is used for code-signing in Microsoft, Apple, and Java (the last less often needed now that applets and 'deployment' have been dropped). Also for PDFs (which can be sort of code-ish, but usually not). And of course S/MIME (CMS embedded in MIME) is used for secure email, especially by Microsoft (Outlook/Exchange). I don't know if these count as 'like PGP'.

bk2204

3/19/23, 8:29 AM

I've edited to reflect that the situation is that they're both offline protocols.

Maarten Bodewes

3/19/23, 10:16 AM

I think you tried to get to the multiple receivers part in the 3rd section of your answer, but then backed out of it again when you wrote "received by another party". These signatures can be validated by any party, while TLS is strictly end-to-end, i.e. 1:1 instead of 1:N. I think that's an important difference. Similarly, you can encrypt for multiple recipients.

Score:0

Crypto

Meir Maor

3/20/23, 5:50 PM

bk2204 gave a correct detailed answer explaining that they are different protocols for different purposes. TLS being online and PGP/GPG being offline.

However, I would argue in many cases TLS actually does make PGP redundant. PGP was originally designed to secure email yet it.is rarely used for that and is primarily seen today to verify the authenticity and integrity of software.

The reason PGP isn't very effective is because most users do not establish a web of trust. We do not go key signing parties and verify keys used to verify keys used to verify software. Most users get the PGP keys they trust for signing software by downloading the key from a trustworthy website. This in itself is secured with TLS and authenticated using a trusted CA.

When distributing ad hoc software PGP gives essentially no security if you just downloaded the key from same website. Dome websites just publish hash of the files. So you can verify even if served separately. You trust the hash because you trust TLS not the

With package managers PGP on top of TLS gives some security as we remember keys. Users add software with an existing key more often than they add a new key. Even if the keys were actually received over TLS.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why do people use protocols like PGP, when TLS already exists?

TH: เหตุใดผู้คนจึงใช้โปรโตคอลเช่น PGP ในเมื่อมี TLS อยู่แล้ว

RO: De ce folosesc oamenii protocoale precum PGP, când TLS există deja?

RU: Почему люди используют такие протоколы, как PGP, когда TLS уже существует?

VI: Tại sao mọi người sử dụng các giao thức như PGP, khi TLS đã tồn tại?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.