-
Signing reviews seems like a good idea, but why does |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
PGP is a barely usable and ridiculously over-complicated. Mandatory xkcd link. I know because I've been using it for more than a decade, I have a pgp yubikey, "perfect keypair" with subkeys etc. I hate it, and I would switch in a heartbeat to anything else if it had a reasonably hardware usb key support. It's hard enough to find people willing to try out a new project to do very daunting and unglamorous job, learn new things, etc. I'm not piling up debugging gpg agent issues on top of all the existing barriers to entry. It's much, much easier to just generate a new ID. You have to remember that crev is just a supplemental security. It does not have to try to be unbreakable security system, and no one can really trust a single person's review as "enough" anyway. The security properties emerge due to many people reviewing things. You can't trust a single review completely because - they reviewer might got blackmailed, their security compromised, or they were sleeper agent of some government. Anyone gets hacked, they can revoke their own ID by marking it as "dangerous", create a new one, and tell people on twitter about it, and live moves on. Having said that, the design accommodates possibility of alternative ID systems. If anyone really wants it, and is willing to put an effort - I will gladly accept the PRs. :) |
Beta Was this translation helpful? Give feedback.
-
See also #58. |
Beta Was this translation helpful? Give feedback.
PGP is a barely usable and ridiculously over-complicated. Mandatory xkcd link. I know because I've been using it for more than a decade, I have a pgp yubikey, "perfect keypair" with subkeys etc. I hate it, and I would switch in a heartbeat to anything else if it had a reasonably hardware usb key support. It's hard enough to find people willing to try out a new project to do very daunting and unglamorous job, learn new things, etc. I'm not piling up debugging gpg agent issues on top of all the existing barriers to entry. It's much, much easier to just generate a new ID.
You have to remember that crev is just a supplemental security. It does not have to try to be unbreakable security system…