[CydeWeys]

By the way, your PGP key has no signatures on it. It could trivially be swapped out on your webhost if the server was compromised and no one would know the difference. You should go to a PGP key-signing party. I would offer to sign your key, but you aren't in the NYC office like I would've assumed. Fortunately there's no shortage of people to sign your key in SF!

[rcpt]

This seems relevant right now https://moxie.org/blog/gpg-and-me/

[snassar]

Signal has a nicer communication user interface for some communication compared to email + PGP but it has not really solved the verification problem that many secure communication methods have.

The grandparent is advising the writer to improve the verification aspects that PGP provides.

Have you tried re-establishing trust with a Signal user who wiped their device? It falls back to the same PGP problem of comparing a string of numbers over a different secure channel.

Moxie addresses some problems with the OpenPGP RFC and with the GnuPG implementation, but after re-reading that post I don't see how it relates to the verifiability issue the grandparent is bringing up.

[aestetix]

Or he could post his key signature on multiple media, provide links to them, and not expose his social network ;)

[CydeWeys]

There's not particularly any connection between your social network and your PGP key signatures. That's what key-signing parties are good for: You get your needed signatures from people who are strangers, who are validating your identity through other means, such as access to your email account, physically matching photos that are associated with your various online presences, and possession of government-issued photo ID.