[lrvick]

At this point I can only conclude you are a troll, but if you are actually serious, I challenge you to prove it. I put in the work in the community for my side of this debate.

I would suggest you pick one of the mainline Linux distros that relies on PGP and make a detailed RFC with a plan to downgrade their security to your non standard minisign/ssh solution with private keys exposed in system memory as you propose, and make a convincing case why it is worth it and what advantages they get for doing so.

Let me know if you do. I am sure it will be a great case study.

[akerl_]

Thankfully OpenBSD did my work for me:

https://www.openbsd.org/papers/bsdcan-signify.html

[lrvick]

So 0.1% of the internet is protected by Ed25519 signatures because of this move. Meanwhile PGP has had Ed25519 support for years, with hardware security key support.

OpenBSD does fantastic work, but you and I both know it will never have any significant adoption on the web at this point.

Try to convince an actual Linux distro running any significant portion of the web they should stop using Ed25519 via PGP smartcards and use Ed25519 via signify exposing their keys to system memory (and thus malware) instead, with no key discovery protocol, for unspecified reasons.

Would love to see a threat modeling case for that.

At this point you have shown your hand. You hate PGP so much you would make security for everyone worse to get rid of it. There is no reasonable threat model to support your position.