oss-sec mailing list archives

Best practices for signature verifcation

From: Demi Marie Obenour <demiobenour () gmail com>
Date: Sun, 28 Dec 2025 19:48:13 -0500

In light of the recent GnuPG vulnerabilities, I remembered that OpenPGP
is almost never the right choice.  CMS/PKCS#7 isn't any better, and
X.509 is also bad except that its extremely wide deployment in TLS
keeps it alive.

See <https://www.latacora/com/blog/2019/07/16/the-pgp-problem/>
and <https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/>.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Current thread:

Best practices for signature verifcation Demi Marie Obenour (Dec 28)
- Message not available
  - Re: Best practices for signature verifcation kf503bla (Dec 29)
    - Re: Best practices for signature verifcation Steffen Nurpmeso (Dec 29)
    - Re: Best practices for signature verifcation Max Jonas Werner (Dec 29)
    - Re: Best practices for signature verifcation Simon Josefsson (Dec 31)
    - Re: Best practices for signature verifcation Steffen Nurpmeso (Dec 31)
    - Re: Re: Best practices for signature verifcation Collin Funk (Dec 31)
    - Re: Re: Best practices for signature verifcation Demi Marie Obenour (Dec 31)
- Re: Best practices for signature verifcation Ali Polatel (Dec 30)
  - Re: Re: Best practices for signature verifcation Eli Schwartz (Dec 30)
  - Re: Re: Best practices for signature verifcation Eli Schwartz (Dec 30)