I take this to mean: apart from the barnacles on GPG, could there be a system which does what GPG does for software development (signing), without the non-functioning web-of-trust of GPG, or the hierarchical system of x509 signing? Something that deals with lost keys, compromised keys/accounts, loss of DNS control, MitMing, MitBing, etc?
I think it is probably in the class of problems where there are no great foolproof solutions. However, I can imagine that techniques like certificate transparency (all signed x509 certificates pushed to a shared log) would be quite useful. Even blockchain techniques. Maybe send someone to check on me, I'm feeling unwell having written that.
You mean some process other than `brew install gnupg`, or do you mean the silliness around generating and publishing a key (and, of course, later renewing the key)?
[+] [-] drybjed|7 years ago|reply
[+] [-] Ayesh|7 years ago|reply
TIL about git-notes which looks pretty neat.
[+] [-] whoisthisfor|7 years ago|reply
[+] [-] angry_octet|7 years ago|reply
I think it is probably in the class of problems where there are no great foolproof solutions. However, I can imagine that techniques like certificate transparency (all signed x509 certificates pushed to a shared log) would be quite useful. Even blockchain techniques. Maybe send someone to check on me, I'm feeling unwell having written that.
[+] [-] hhanesand|7 years ago|reply
[+] [-] mdaniel|7 years ago|reply