top | item 24461008

(no title)

ifmpx | 5 years ago

This discussion was about your false assertion that PGP "has virtually no adoption".

If you want to change our discussion to be about replacing PGP instead, then I completely agree that people should replace PGP with modern properly-standardized alternatives if such exist.

discuss

pvg|5 years ago

Fundamentally, the discussion is about your (and others') claims that PGP is some key part of security infrastructure and that its wide adoption and importance in such infrastructure shows that. It probably got a little stuck on broad terms like 'adoption' and 'standard' instead of looking more specifically at the type of use you're holding up as an example.

Here's what happens in the super-common, basic case of 'installing a third party (i.e. not from the distro repos) package on some debiansy Linux':

You access the the developer's webpage (via a browser and https) and read the installation instructions. They tell you to curl in (over https) some pgp key and some (https) endpoints for finding and downloading the package.

You apt-whatever and the package is installed.

The PGP part of this can be replaced with NOPs and this is no less secure. All the heavy lifting here is done elsewhere using infrastructure that actually has wide adoption and standardization and does useful things.

ifmpx|5 years ago

[deleted]

aborsy|5 years ago

If a modern alternative existed, it would have been invented.

Email is hard to secure for obvious reasons. The PGP itself is fine, even though it could be updated.