Hacker News new | past | comments | ask | show | jobs | submit login

Never heard of Age here. I looked, seems like it is brand new?



I also have never heard of Age. Then again, I don’t actively keep up-to-date with the world of cryptography (other than from a PKI/X.509/TLS perspective) . As a system administrator, I only use GnuPG to check the signatures of software packages and to exchange passwords with other sysadmins.

This thread has been both interesting and educational.


Serious question: how read into work on cryptography engineering and secure messaging do you feel you are? I'm trying to get a gauge of what it means to be "brand new" for you. What cipher constructions are OK? The CAESAR finalists? The AEADs Rogaway surveys in his papers? The ones GnuPG supports?


It seems weird to me to gauge someone’s understanding of “brand new” for cryptography software by measuring against primitives and constructions. To me at least, those are not the same thing. Even if a piece of software contains cryptography I will still also evaluate its age as a piece of software simply as a proxy for maturity and stability of the feature set.


Is this intended as an answer for my question? Because it doesn't help me gauge what the parent commenter sees as "brand new".


No it was a comment trying to indicate that I found your question odd, and ask why you think your question is useful? Do you believe there is a single notion of brand new that can be applied across all categories? Is the age for brand new milk the same as for software or for scientific results or items of clothing? Or do you believe that for the categories of software and cryptographic theory the notion of brand new is equivalent?

Frankly in my reading of your question you come across as very arrogant, where you use the guise of a “serious question” to show off your knowledge cryptography.


Thanks for sharing, but this isn't responsive to anything I'm asking or saying.


I also agree with adament. It may not be responsive to your question but your question doesn't read in good faith and many of your other comments in this thread read as pitiless war against an opponent you've decided is your enemy.

There have been many articles written that push back against the narrative a small cohort of security people push that GnuPG and OpenPGP by extension should be avoided at all costs. Personally, I find it has stood the test of time admirably and that its "multi-tool" functionality unlocks features I use almost every day like a web of trust in Keybase and using it as an ssh agent. I actually don't want another tiny tool in age. With Sequoia the future of PGP looks bright.


Thanks, I am sorry for taking your time.


It's been around since 2019, and has been discussed heavily on Hacker News.


You're trying to tell us that software from 2019 isn't new? The majority of the software that I use on a daily basis is minimum a decade old, and I don't think I'm alone.


Yeah, and it is supposedly a software related to cryptography. Has it been audited at least? They are promoting it so much, but GnuPG has been around for a while now and loads of people have used it. What about Age? I feel more comfortable with GnuPG.


What is your bar for "audited"?

I've reviewed both the design and implementation for age in the past and only found nitpicky things to improve (mostly related to HKDF).

I can take a fresh look and make a pretty PDF on paragonie.com if you care so much.


I am sure audits could help Age either way. :) I am just saying that it is still fresh as opposed to GnuPG. This is what people typically call "battle-tested", when the software has been used by a zillion of people for some time. Of course I cannot speak about Age much, this is the first time I heard about it.


GnuPG had been battle tested for almost two decades before Efail was discovered and disclosed.


Yeah, but does this help Age?


Only to the extent that it shows you can't simply compare the vintage of two systems and declare the older one safer by dint of battle-testing.


I am not saying it is safer because it is older, but it sure has been under more scrutiny than Age. That said, Age might be safer regardless.


Can you describe the upside of this “more scrutiny”, since per the above it doesn’t seem to have made the codebase safer?


It isn't brand new, no.


So, it's brand new. Got it.

Hell, I have shirts older than the language it's written in.

In 20 years, I might not even be able to find a working compiler to build it, after the shiny-object crowd moves on to something else.

You know what I'll still be able to decrypt? An ASCII-armored, GPG encrypted, TAR archive.

Personally, I am not interested in the latest evolutionary improvements on file formats. Evolution produces a lot of interesting things; most of them are dead ends. What I want is the cockroach of file formats. The coelacanth.


You will be able to decrypt a file produced by age. All the cryptography there is standard, you'll have a compatible library in whatever language you'll use in 20 years, if you think the first party Go and Rust implementations won't survive.

Using common libraries, I can create a python program to decrypt a file produced by age in a few hours, I think.


> So, it's brand new. Got it.

No. Brand new means completely new. Something that's going on 3 years old isn't brand new anymore.

A more appropriately term is relatively new. Civilization is relatively new compared to the age of the universe. Age is relatively new compared to modern computers.

But neither civilization nor age are brand new.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: