|
|
|
|
|
|
by Torgo
4326 days ago
|
|
|
> Protection of a private key, for example. I have a master key that was created offline, and use a subkey on a usb smart token. It works good but it was a bitch to set up. Apparently Qubes OS has a hardware-virtualized PGP container for protecting private keys, but that's not a viable solution right now. |
|
|
The OP's complaints boil down to two IMO: 1) poor UX; 2) trust is difficult to manage.
1) Seems solvable to me again with subkeys for encryption and signing (which I believe are created by default for GPG2.0 anyway).
2) Asking technology to solve the problem which only each individual can answer ("do I trust this person to be evaluate other people's identities as carefully as me?") is not doable.
The example of someone getting a journalist's pubkey and being stung by the (fixed) bug whereby the wrong key may be imported is again letting the user off the hook. If someone is not actually using GnuPG's abilities to examine the WoT and see who has signed the journalist's key etc then it's an example of magical thinking with "encryption" replacing any other nostrum.
I don't believe that problem can be solved with technology.
1. https://alexcabal.com/creating-the-perfect-gpg-keypair/