On 10/5/25 2:48 AM, Hoël Bézier wrote: > I thought this would indeed be feasible and that it would simplify > things. I must be missing some informations. Could anyone expand on why > using ssh for signing is not possible for us?
But I didn't say it's "not possible", I said it is the opposite of a "simplification". A sufficiently determined person with infinite time and development budget can be expected to generally produce anything not contra-indicated by the laws of physics; doesn't mean it is a good idea. ... Simplifying the cryptographic packeting format for private materials is entirely unrelated to either the presence *OR* lack of presence of simplicity or complexity in tooling consuming this. So really, the first and biggest issue was "making assumptions". Aside for that, actual CA deployments are significantly more complex than implied. Gentoo has a CA infrastructure for developer PGP keys in the form of Gentoo Authority Key L1 <[email protected]> Gentoo Authority Key L2 for Developers <[email protected]> Gentoo Authority Key L2 for Services <[email protected]> What is the *specific* proposal to replace this? I can think of some potential answers, but I suspect most people have not thought about it at all. And still, you need to manually track keys, but cannot because "keyrings" are one of the things every PGP "replacement" decides to do without. So better build even more infra for that. There are other issues as well, once you've gotten that far. But of course nobody does :) it is all memeing about "openpgp is terrible, what if we just make an extremely simple replacement" with raw crypto algorithms" and not too much real problem-solving. -- Eli Schwartz
OpenPGP_signature.asc
Description: OpenPGP digital signature
