Comment by verytrivial
7 years ago
I read these advice columns like "You should stop using hand saws because we now have electric saws which are better in every way that I care about." Great! You use them then. I'll keep using crufty old hand saws wherever I want, you use and proselytize your electric saws and we can get on with our lives. I have my own networks and threat models and my own evaluation functions for these. Hand saws are pretty good.
If your threat models have you using PGP, your threat models are badly engineered.
That's pithy. I have used PGP sign (via an air gap) release tarballs on a public server for clients that have individually verified my org's public key. It made sense in this context and everyone already had the tools. My point is we have our own contexts.
If you used signify/minisign to do the same thing, your workflow would be simpler, your keys shorter, and your entire stack more secure. Since clients are individually verifying your key, none of PGP's identity goo is even ostensibly winning you anything. Your context isn't the issue.