Decentralized Internet and Privacy
In defence of GnuPG: Key Sovereignty in an Age of Digital Feudalism
<p>For over a decade, critiques of OpenPGP and GnuPG have resurfaced in cycles: too complex, too fragile, too old, unfriendly, too “cryptonerd.” Modern messaging apps, "forward-secrecy-by-default" protocols, and crypto tools are frequently presented as decisive reasons to abandon GPG altogether. Yet these arguments often rely on a deeper and more troubling assumption: that ordinary users cannot and should not be expected to understand or control their own cryptographic identity.</p>
<p>This talk challenges that premise.</p>
<p>GnuPG is not merely another encryption tool; it is one of the few remaining technologies that give individuals total sovereign control over their cryptographic keys and consequently, over their digital identity. In an era increasingly shaped by "digital feudalism", where platforms dictate the limits of user agency under the guise of convenience, GPG represents a radically different model: federation instead of walled gardens, user-owned keys instead of opaque key escrow, and a trust model that distributes power horizontally rather than concentrating it in corporate or governmental authorities.</p>
<p>This presentation revisits the popular criticisms such as complexity, usability, lack of forward secrecy, the Web of Trust, aging cryptographic primitives and examines which reflect genuine limitations and which reflect a shift in cultural expectations shaped by centralized, app-centric design. It also highlights the unique strengths of GPG: asymmetric communication without a central provider, universal applicability far beyond email, a single identity usable across code-signing, backup encryption, SSH, authentication, and fully offline communication.</p>
<p>Finally, it explores the broader political and social context: why long term key ownership matters, why revocability and inspectability are essential freedoms, and why privacy cannot be sustainably outsourced to corporations whose incentives are misaligned with user autonomy. While modern protocols like Signal and Matrix bring important innovations, none yet replace the core promise of OpenPGP that cryptographic self determination remains possible.</p>
<p>This talk argues that dismissing GPG as "too hard" risks conceding our digital agency to systems designed to keep users passive. In a world where ideas outlive the apps that package them, GPG’s foundational idea (users should own their keys) remains not only relevant, but indispensable.</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ud2218a |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 2/1/26 |
<p>The Internet landscape is evermore on it’s steadfast course towards surveillance and centralization. Video content and streaming out of CDNs now account for half of all global traffic; splinternets are now a thing, from China to South Korea, from Russia to Iran; mandatory backdoors on communication platforms are just around the conner with EU’s Chat Control. In this scenario, where most Internet connected devices have become tools of imprisonment rather than liberation, reviving the old ...
|
| 2/1/26 |
<p>Can we make the web more decentralized and more private without asking users to switch browsers? For the past five years, the IPFS ecosystem has pioneered multiple approaches to this challenge. This talk shares hard-won lessons about what works—and what doesn't.</p> <p>We'll cover three parallel strategies: (1) pushing for native protocol support in major browsers, (2) driving adoption of critical cryptographic building blocks (such as Ed25519 into WebCrypto API, a three-year standards ...
|
| 2/1/26 |
<p>The massive size of browser engines has concentrated power over the web platform into a few large corporations. Creating a new browser engine that is sufficiently featureful to be an alternative to the Big Three is practically impossible. But what if we could shrink the footprint of a browser's core? What if a browser was little more than a WebAssembly (Wasm) runtime and nearly everything else was an extension? By breaking up the monolith we would have a chance to re-decentralize control over ...
|
| 2/1/26 |
<p>In recent decades, the internet has increasingly become centralized, shifting from its hacker-driven origins into a cartel of advertising companies. It won't get better if we allow these same companies to drive the design of the web browsers and their protocols.</p> <p>Within hacker communities, many solutions have been developed to mitigate centralization, but their adoption has been limited, often because they require specialized expertise to be operated safely.</p> <p>In this talk I'll ...
|
| 2/1/26 |
<p>Nym is the first decentralized noise-generating mixnet to provision real-world network anonymity to Internet users even against nation-state adversaries. The aim here is to supersede existing VPNs in order to fight increasingly more powerful authoritarianism and surveillance. Unlike traditional centralized VPNs that can be de-anonymized by a global passive adversary - like the NSA - based on their traffic patterns, Nym adds noise (“cover traffic”) to existing Internet communications. ...
|
| 2/1/26 |
<p>TLS has secured the internet for decades, but it has a major limitation: because TLS relies on symmetric encryption, data cannot simply be shared with a third party. As a result, most Web data remains locked inside centralized silos. HTTPS provides authenticity and confidentiality, but not verifiable provenance, leaving applications to rely on screenshots, scraped HTML, or centralized access control mechanisms such as OAuth.</p> <p>zkTLS changes this. Using MPC-TLS and zero-knowledge ...
|
| 2/1/26 |
<p>Public certificate authorities in TLS are a security liability from both a censorship and MITM perspective. Conceptually, DNSSEC's idea of tying PKI to domain names should be a better replacement -- except that in the DNS, relying on the names means trusting the registrars, registries, and ICANN. But what if we had <em>self-authenticating</em> domain names? Could we build a PKI on top of those? Could such a PKI work with unmodified mainstream web browsers like Chromium, Firefox, and Tor ...
|
