Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreicrd5trxto23zghbf7auq7bk45u5nofnvbodoh2kmiv4vx2v7pgpm",
    "uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3mnskqvlyqzh2"
  },
  "path": "/t/replace-gnupg-with-sequoia-pgp-actively-warn-against-gnupg/38238#post_8",
  "publishedAt": "2026-06-08T20:26:09.000Z",
  "site": "https://discuss.privacyguides.net",
  "tags": [
    "Following discussion"
  ],
  "textContent": "jonah:\n\n>   * Given how important post-quantum encryption is, it would be dangerous & unfortunate for users to lock themselves into the GnuPG standard\n>\n\n\nI would say something here. Not because I think it is wrong. Rather because from brief reading on this topic I got some misconception that is pretty common, I guess.\n\nMany speakers discuss it the way it seems that\n\n  * RFC 9580 (v6) = PQC,\n\n  * RFC 4880 (v4) = lack of PQC security.\n\n\n\n\nBut it is not the case: we already can use KEM-768+X25519 with v4. And most of us won’t use other algos even with v6. KEM-768+X25519 is just a reasonable choice in most cases.\n\nGPG supports KEM-768+X25519 right now. Seqsequoia-sq needs to be recompiled with a special flag to use it. Literally, GPG makes PQC more easy and accessible today. (While yes, generally, I believe sq does a lot for the future of this technology.)\n\nIs is easy to miss the fact that PQC is already accessible and has not so much to do with v4/v5/v6 debates . At least for privacy(signing is more complicated). I feel it is used to push people to implement v6 faster. Following discussion is pretty important:\n\n> Aron: GnuPG allows to attach a v5 PQC ML-KEM encryption subkey to a v4 key. With v4 ML-KEM subkeys we provide an alternative that is even compatible with v4. For full PQC compliance signatures are also needed.\n>\n> Kai: As soon as RNP provides stable v4 PQC encryption, it can be integrated in Thunderbird. I want to see PQC support in Thunderbird ASAP, but I don’t think it will come fast. First we need replacement keys mechanism.\n>\n> Andrew: Repl. keys is needed for v6, not v4 PQC.\n>\n> Kai: v4 PQC support in Thunderbird could be there maybe end of the year.\n\nMost of the clients are going live with v4 PQC for years, if not decades - that is my bet. forcing users to switch to v6 practicaly means “Use Proton and nothing else”. As no single other email client works with v6. From the same discussion:\n\n> Aron: there is v4->v6 migration and traditional->PQC migration. Let’s focus on the latter. Proton will bundle both transitions together because PQC is a user-measurable upgrade and selling point.",
  "title": "Replace GnuPG with Sequoia-PGP (& Actively warn against GnuPG)"
}