> who only offer certs of RSA and P-{256,384}?

I am pretty sure that nginx and openssl only recently added support for ed25519 certificates. Although to be honest I don't really like the idea of let's encrypt. The addressing system that tor uses has solved that issue already.

> but where most browsers use secp256r1?

This is an issue. Browser vendors should prioritize the djb algorithms.

Only one (specifically DJBs joke Post-QC algorithm), and it did not pass to the second round.

One notable exception (which as I understand is tptacek-approved) is Wire, which only needs an email.

You don't have to do that. Protocols like tox for example are distributed and use DHT in order to find peers.

Since I am apparently replying too fast and I need to slow down, here is my reply to the child post by Sir_Cmpwn:

> I don't really see the link between the email you posted and efail

GPG decrypts the whole message which might be gigaoctets long and throws it to the output. After it has been decrypted it checks the MDC (if it exists) and throws an error if the MDC does not match or if it is missing. Meanwhile if a OpenPGP message was composed of small authenticated packets GPG would be able to first authenticate if the MAC of the packet is correct and then return an error right away if it does not match. If it did match it would return plaintext and move on to the next packet. You can see now how efail would be prevented, right?

> PGP

Do people use PGP nowadays? I was under the impression that pretty much everyone used GPG ever since it was released.

I disagree, it needs to be possible for whistle-blowers to operate freely. It should also be possible to disclose to the whole world new and superior techniques and technologies that a company tries to hide.

> This is what privacy regulations are all about

I am pretty sure that this is a separate thing to NDAs. Nevertheless I believe that the solution should be technical rather than legal, with things like end to end encryption and public key cryptography.