[spam][joke][cryptotragedy] checking signatures on boot media

Karl gmkarl at gmail.com
Wed Nov 3 17:44:00 PDT 2021 

On Wed, Nov 3, 2021, 6:33 PM Stefan Claas <spam.trap.mailing.lists at gmail.com>
wrote:

> On Wed, Nov 3, 2021 at 5:11 PM Karl <gmkarl at gmail.com> wrote:
> >
> > the guy wasn't from openpgp.org, and coderman posted it to this list in
> 2019: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> >
> > the new keyserver is called hockeypuck I believe.
>
> Hi Karl,
>
> Why do you still rely on OpenPGP WoT signatures, when it comes
> to cryptography? If we both or you with others would use an offline
> device for key pair creation (and message generation) and then say
> would use NaClbox or age, for example, you don't have to deal with
> all this key management stuff, which is IMHO really annoying, when
> you have to use PGP on a daily basis, with several communication
> partners.
>

Well,
- the spampost was on os media verification, which is not available via
age.  this is the biggest reason and should be obvious.  here are other
scattered reasons:
- you may not be aware, but WoT is not anything anyone is forcing you to
do, pgp can operate without it, but it is a feature I would expect a good
asymmetric cryptography system to support
- pgp works fine on an offline device as you propose
- pgp is a well-recognised standard that has undergone extensive review and
normalisation, and is likely open to processes of further improvement
- I don't know why you would say this strange thing you are saying, but I
am interesting in learning modern approaches like age
- go is kind googley to me, I worry its internal architecture may not
defend interests of other communities, it would be nice if we had
accessible transpiling to maintain language-agnostic tools soon

However of course,
- pgp is old, so people trying to misuse it know it very well.  not likely
so true of other things.
- pgp is somewhat cumbersome in many ways needlessly

The (Open)BSD folks, for example, switched long ago to signify,
>
openbsd is incredible but they have indicated trust of infrastructure and
governments, unsure why

> for package signing and sequoia-pgp (Testimonial by Mr. Zimmermann)
> no longer uses key signing for a WoT.

haven't looked at sequoia-pgp, haven't always gotten too much into this
stuff

do you argue against keysigning because of the dangers produced by
spreading documentation of personal connections? it seems like an important
trust mechanism to provide for people who can hold any risk of using it.

obviously without an out of band channel for cryptographic trust you have
no way of knowing anything on the internet is real
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3943 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20211103/5e0184bb/attachment.txt>

More information about the cypherpunks mailing list