On 01/16/2016 07:06 PM, Andrew Gallagher wrote:
On 17 Jan 2016, at 02:19, Doug Barton <dougb@dougbarton.email> wrote:.
OTOH, PGP is designed primarily to establish trust relationships between
people, with human review of the results an integral part of the process.
That may have been the initial motivation. But consider that the most common
real world use of PGP today is verification of code signatures - many of which
are generated semi-automatically by build infrastructures such as Debian and
verified by install tools. The trust relationship here is between your client
and a build server, not people.
True enough, but what do those signatures actually mean?
But more importantly, what security measures are in place to prevent a
rogue key from entering that WOT, in addition to a certification
signature from a random key? Is the only thing someone would need to do
to compromise a single certification key?
Glossing over authentication (because there's no real use case for those keys
yet),
Two factor ssh smart card auth? I use it nearly every day - much more often
than encrypted mail.
Sorry, all that does is replace something that already existed, works
well, and is widely supported; with something more complex, often buggy,
and not widely supported. That's not a use case, that's a solution
looking for a problem.
That's not to say that someday there won't be a use case for
authentication keys, but I haven't seen one yet.
I don't think anyone has sent me an encrypted mail in over a year, and the last
one was about signing a PGP key. ;-)
You're corresponding with the wrong people. :)
Doug
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
