Replace GnuPG with Sequoia-PGP (& Actively warn against GnuPG)

jonah: > * Given how important post-quantum encryption is, it would be dangerous & unfortunate for users to lock themselves into the GnuPG standard > I would say something here. Not because I think it is wrong. Rather because from brief reading on this topic I got some misconception that is pretty common, I guess. Many speakers discuss it the way it seems that * RFC 9580 (v6) = PQC, * RFC 4880 (v4) = lack of PQC security. But it is not the case: we already can use KEM-768+X25519 with v4. And most of us won’t use other algos even with v6. KEM-768+X25519 is just a reasonable choice in most cases. GPG supports KEM-768+X25519 right now. Seqsequoia-sq needs to be recompiled with a special flag to use it. Literally, GPG makes PQC more easy and accessible today. (While yes, generally, I believe sq does a lot for the future of this technology.) Is is easy to miss the fact that PQC is already accessible and has not so much to do with v4/v5/v6 debates . At least for privacy(signing is more complicated). I feel it is used to push people to implement v6 faster. Following discussion is pretty important: > Aron: GnuPG allows to attach a v5 PQC ML-KEM encryption subkey to a v4 key. With v4 ML-KEM subkeys we provide an alternative that is even compatible with v4. For full PQC compliance signatures are also needed. > > Kai: As soon as RNP provides stable v4 PQC encryption, it can be integrated in Thunderbird. I want to see PQC support in Thunderbird ASAP, but I don’t think it will come fast. First we need replacement keys mechanism. > > Andrew: Repl. keys is needed for v6, not v4 PQC. > > Kai: v4 PQC support in Thunderbird could be there maybe end of the year. Most of the clients are going live with v4 PQC for years, if not decades - that is my bet. forcing users to switch to v6 practicaly means “Use Proton and nothing else”. As no single other email client works with v6. From the same discussion: > Aron: there is v4->v6 migration and traditional->PQC migration. Let’s focus on the latter. Proton will bundle both transitions together because PQC is a user-measurable upgrade and selling point.