tank on Nostr: I used to maintain the OpenPGP.js library (used in ProtonMail) and I don’t use PGP. ...
I used to maintain the OpenPGP.js library (used in ProtonMail) and I don’t use PGP. And Phil Zimmerman doesn’t use PGP because he prefers Apple Mail on his iPhone.
I always ask myself: what’s the point of asking users to download a PGP public key to verify a binary they download from the same website. Users aren’t getting more integrity assurances over what SSL already offers them, since most have no idea how to use WoT.
It’s different with nostr... every user has a WoT that they can manage (with decent enough UX) and it already gives them value outside of verifying binaries. So I’d love to see an easy-to-use “nostr-verify” unix program that you pass your npub that *just works*. Anyone that wants to attest a given binary can upload their signatures to their relays. Then the “nostr-verify” program just pulls these sigs from my relays to verify the binary. Does this exist?
Using PGP for verifying software doesn't work and it is often counterproductive. Users don't understand what they are doing. They don't use PGP and they don't have a WoT so, what's the point.
The worst part is that those same users would demand a step-by-step instructions about how to verify the software. What are the alternatives?
Published at
2024-06-01 00:23:45Event JSON
{
"id": "43b5c3af6fda5f6dae3f3c5f8fa319ce95ef5cb1740b3af6eedd6770eee0d537",
"pubkey": "311b497635856767ff5c1cefa2b8c5c875ce184ae4876da9279e829ba01dd129",
"created_at": 1717194225,
"kind": 1,
"tags": [
[
"p",
"9e30e940238cd9ebebc6328176dd4d109812129442f2a6c38727fc66fa7ea90a"
],
[
"p",
"9e30e940238cd9ebebc6328176dd4d109812129442f2a6c38727fc66fa7ea90a"
]
],
"content": "I used to maintain the OpenPGP.js library (used in ProtonMail) and I don’t use PGP. And Phil Zimmerman doesn’t use PGP because he prefers Apple Mail on his iPhone.\n\nI always ask myself: what’s the point of asking users to download a PGP public key to verify a binary they download from the same website. Users aren’t getting more integrity assurances over what SSL already offers them, since most have no idea how to use WoT.\n\nIt’s different with nostr... every user has a WoT that they can manage (with decent enough UX) and it already gives them value outside of verifying binaries. So I’d love to see an easy-to-use “nostr-verify” unix program that you pass your npub that *just works*. Anyone that wants to attest a given binary can upload their signatures to their relays. Then the “nostr-verify” program just pulls these sigs from my relays to verify the binary. Does this exist? nostr:note1qqq9ytr5f5ffrdq3j2478d0n7m4ydwwqc0wyur6jun9rn9qetckqvyyz8d",
"sig": "9b87a179437ae89e0f1f1430fe8b291c0cf40c4e36b7bc3b4505156c49bbbb529da41e3ce7bce23a661ba7fcf677d1905099c4b38b244120876914284ef58a3c"
}
