orionwl

fwiw
laanwj.github.io/2021/01/21/de

1+
ajtowns

@orionwl wonder if this would be a good time to try bip322 sigs for releases?

1
Peter Todd

@ajtowns @orionwl No. PGP is far superior to any of these single key standards, as it supports the web-of-trust.

PGP could be better. But until someone actually replaces it, why use niche standards that will never replace it?

1+
ajtowns

@pete @orionwl that reads like two fallacies to me, #1 that web of trust actually works, #2 that you can make a new standard without some people using it while it's niche? Also Bip322 supports multisig signatures, it's not single key.

1+
Peter Todd

@ajtowns @orionwl Web-of-trust works for it's intended audience: people who are taking the time to actually verify something rather than just relying on their web browsers.

Re: multisig, just sticking a few different signatures on releases manually is fine. Anyone verifying this stuff to that level is verifying it manually anyway. And PGP *does* allow for multiple signatures on one file, even in things like git commits.

1+
Peter Todd
Follow

@ajtowns @orionwl BTW, re: "taking the time", I've consulted on the requirements for high-value storage. It's annoying, time consuming, work to do properly. Stuff like buying sealed laptops at in person stores randomly to verify install disks.

If you are doing it properly, verifying some web-of-trust is the least of your issues.

There are companies with wallets worth hundreds of millions of dollars. I've had clients with plans for billions (I seem to have dissuaded most of them...).

· · Web · 0 · 0 · 0
Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!

Resources

Developers

What is Mastodon?

petertodd.org

More…