undefined | Better HN

0 pointstptacek6y ago0 comments

If your threat models have you using PGP, your threat models are badly engineered.

0 comments

That's pithy. I have used PGP sign (via an air gap) release tarballs on a public server for clients that have individually verified my org's public key. It made sense in this context and everyone already had the tools. My point is we have our own contexts.

tptacekOP6y ago

If you used signify/minisign to do the same thing, your workflow would be simpler, your keys shorter, and your entire stack more secure. Since clients are individually verifying your key, none of PGP's identity goo is even ostensibly winning you anything. Your context isn't the issue.

j / k navigate · click thread line to collapse

0 comments

verytrivial6y ago

tptacekOP6y ago

j / k navigate · click thread line to collapse