SoK: Why Johnny Can't Fix PGP Standardization

TL;DR

This paper reviews the longstanding issues with PGP, highlighting security, usability, and standardization challenges, and discusses why efforts to fix or replace it have faced fundamental obstacles.

Contribution

It provides a comprehensive analysis of PGP's vulnerabilities, standardization failures, and the core reasons behind the difficulty in fixing or replacing PGP in email security.

Findings

PGP has critical security and usability flaws.

Standardization efforts have largely failed to modernize PGP.

Decentralized PKI remains an unresolved challenge.

Abstract

Pretty Good Privacy (PGP) has long been the primary IETF standard for encrypting email, but suffers from widespread usability and security problems that have limited its adoption. As time has marched on, the underlying cryptographic protocol has fallen out of date insofar as PGP is unauthenticated on a per message basis and compresses before encryption. There have been an increasing number of attacks on the increasingly outdated primitives and complex clients used by the PGP eco-system. However, attempts to update the OpenPGP standard have failed at the IETF except for adding modern cryptographic primitives. Outside of official standardization, Autocrypt is a "bottom-up" community attempt to fix PGP, but still falls victim to attacks on PGP involving authentication. The core reason for the inability to "fix" PGP is the lack of a simple AEAD interface which in turn requires a decentralized public key infrastructure to work with email. Yet even if standards like MLS replace PGP, the deployment of a decentralized PKI remains an open issue.