On Thu, Aug 8, 2019 at 6:23 PM François Kooman fkooman@tuxed.net wrote:
As for the current status quo, i.e. PGP, see [2,3], it would be fair to hold PGP (GnuPG) to the same standards... Based on its history of vulnerabilities I don't really trust it for anything. I'm sure you can use it safely if you are an expert and don't use key servers, but well, I don't trust myself with PGP... That is also the main reason I am in the process of switching to signify/Minisign for my own projects.
Thanks for posting this. I haven't gone into the weeds regarding PGP vulnerabilities, but completely agree that PGP is absurdly complex to use. Minisign looks to be a simpler alternative that most likely will grow in popularity once people are educated about it. Seems like a good idea to also include it in the guidelines.