The history of practical encryption has been largely about solving the "messy real-world bits".
I am emphatically not saying here that WG is a step backward. But what I had hoped to see - either from Jason or from somebody else in that community - were practical approaches to actually deploy this safely in real environments people have.
Let me give you a small not very related example that made me smile recently of how to make security usable:
Magic wormhole will cheerfully help do SSH public key setup for a new device that needs access.
Normally this is a messy real-world problem. The SSH public key for a new laptop, or a phone, or whatever needs to get authorized for access to some system. As a public key it isn't secret, but the correct key must be installed or you'd be subject to a sophisticated MITM. Unlike the server authentication there is no provision for TOFU and it's unclear how that should work anyway. SSH keys are too long to just read them out comfortably, secure messaging platforms add clumsy extra steps (copy, paste)...
But Magic Wormhole fits the gap pretty nicely. You run one end of the wormhole on the machine where the key is to be installed, and the other on the machine that has the key pair, secured with a trivial human memorable passphrase like '6-candle-cheesegrater-horse' and the result is simple but safe†.
† I've argued Wormhole security thresholds should be higher mostly for PR reasons, but it's not a deal breaker and you can doubtless find my rambling about that if you care.
I am emphatically not saying here that WG is a step backward. But what I had hoped to see - either from Jason or from somebody else in that community - were practical approaches to actually deploy this safely in real environments people have.
Let me give you a small not very related example that made me smile recently of how to make security usable:
Magic wormhole will cheerfully help do SSH public key setup for a new device that needs access.
Normally this is a messy real-world problem. The SSH public key for a new laptop, or a phone, or whatever needs to get authorized for access to some system. As a public key it isn't secret, but the correct key must be installed or you'd be subject to a sophisticated MITM. Unlike the server authentication there is no provision for TOFU and it's unclear how that should work anyway. SSH keys are too long to just read them out comfortably, secure messaging platforms add clumsy extra steps (copy, paste)...
But Magic Wormhole fits the gap pretty nicely. You run one end of the wormhole on the machine where the key is to be installed, and the other on the machine that has the key pair, secured with a trivial human memorable passphrase like '6-candle-cheesegrater-horse' and the result is simple but safe†.
† I've argued Wormhole security thresholds should be higher mostly for PR reasons, but it's not a deal breaker and you can doubtless find my rambling about that if you care.