top | item 10187133

(no title)

Since I have worked on something similar, in my opinion, it isn't the downloading software that is necessarily a hurdle (although I agree that it is a bit of one); it is around the general difficulty and pain around your local setup and finding the user you are trying to contact's pgp key. This has been discussed at length, but I think it comes down to pgp being enough of a hassle that people who aren't focused on privacy/security don't bother using it.

With ssh keys, at least we can assume that if someone has a github account they have a private ssh key, and it is accessible through the github api. With pgp there isn't a guarantee that they even have a pgp key, and accessibility is on the users themselves to publish it in some way. I think that keybase.io has tried to become the go-to spot for pgp keys, but the adoption is nowhere near what github has, and again, someone has to be interested in privacy/security to want to do this as well.

I mean with all do respect that you are correct in terms of a better protocol, and that there are tools that exist that already do this. The concern that I think OP and myself are interested in solving is creating something that is quick, easy, and piggie-backs on top of the huge github userbase and provides a base level of encryption.

discuss

tptacek|10 years ago

I just don't buy it. Using Github-registered SSH keys to communicate is also an idiosyncratic and complicated way to exchange messages (evidence: far, far more people use PGP than use schemes like this). It's also much less secure.

I see absolutely no win here.