oss-sec mailing list archives

Re: Best practices for signature verifcation

From: kf503bla () duck com
Date: Mon, 29 Dec 2025 00:21:16 -0500

then what do you suggest to use? i hear it all the time "pgp sucks" but what's the alternative huh?


In light of the recent GnuPG vulnerabilities, I remembered that OpenPGP
is almost never the right choice. CMS/PKCS#7 isn't any better, and
X.509 is also bad except that its extremely wide deployment in TLS
keeps it alive.

See https://www.latacora/com/blog/2019/07/16/the-pgp-problem/

and https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/.

--
Sincerely,
Demi Marie Obenour (she/her/hers)

Current thread:

Best practices for signature verifcation Demi Marie Obenour (Dec 28)
- Message not available
  - Re: Best practices for signature verifcation kf503bla (Dec 29)
    - Re: Best practices for signature verifcation Steffen Nurpmeso (Dec 29)
    - Re: Best practices for signature verifcation Max Jonas Werner (Dec 29)
    - Re: Best practices for signature verifcation Simon Josefsson (Dec 31)
    - Re: Best practices for signature verifcation Steffen Nurpmeso (Dec 31)
    - Re: Re: Best practices for signature verifcation Collin Funk (Dec 31)
    - Re: Re: Best practices for signature verifcation Demi Marie Obenour (Dec 31)
- Re: Best practices for signature verifcation Ali Polatel (Dec 30)
  - Re: Re: Best practices for signature verifcation Eli Schwartz (Dec 30)
  - Re: Re: Best practices for signature verifcation Eli Schwartz (Dec 30)