I got into PGP under the impression it was kind of the gold standard of encryption. But more recently I've been hearing people saying its outdated, about things like saltpack and a Hacker News discussion on someone saying PGP was outmoded.
I've seen a whole bunch of new stuff mentioned (eg. here) that sounds like it's supposed to replace PGP: NaCl/libsodium/saltpack, AGE, OTR, probably a few others that slipped my mind, and there's also the MessagePack vs CBOR thing which I haven't researched.
What I'm trying to find out is what if any alternative to PGP I should be switching to.
I understand there are some differences in use case (eg. OTR proves authentication only to the recipient while PGP messages are either unauthenticated or unrepudiable). But my feeling is that differences like that shouldn't require entirely different formats; I would be surprised if it wasn't possible for the same format to provide both options. I don't know if NaCl/libsodium/saltpack do or not.
My understanding of NaCl vs libsodium is that NaCl was abandoned and libsodium is the surviving fork, but it's difficult to find anything super clear on it. I don't know if the saltpack implementations linked from saltpack.org use old NaCl or libsodium. I do know saltpack is developed by Keybase and saltpack.org doesn't mention any other places it's used (but doc.libsodium.org listed a ton of places libsodium was used). Does anyone use saltpack outside of Keybase?
It's hard to find any clear guide on how to actually use NaCl/libsodium/saltpack or whichever I would be using. Eg. how are keys meant to be generated? Do you just generate 32 random bytes or whatever and they don't have any metadata? The only use guide I found on it was for the C library, and its API is so huge and confusing I would not touch with a ten-foot pole.
I'm also not sure if OTR is meant to be used outside of a hosted app or if that's even practical.