I don't get it...
Why do you still need PGP at all? nostr:nprofile1qqs83nn04fezvsu89p8xg7axjwye2u67errat3dx2um725fs7qnrqlgpzamhxue69uhhxetpwf3kstnwdaejuar0v3shjtc3uszjr does software signing better anyhow.
And what's the difference of using nostr as your long term identity key and not just a PGP master key? At least the PGP master key you can revoke, expire, rotate, while we don't have any of that in nostr yet.
Replies (3)
Zapstore is great for software signing. It solves the only reason you would need a long dated PGP key which was for software verifiability.
But PGP still solves one narrow problem I don’t want to lose which is offline file level encryption with a trust model I fully control. That doesn’t require a decade long key. It just needs short lived, compartmentalized ones.
Nostr’s missing piece is native expiry and rotation standards. We’ll get there. Until then my argument is simple. Keep PGP minimal and disposable for encryption. Treat Nostr as the long term identity layer because it avoids the overhead that made PGP brittle.
Using both gives you the strengths of each and covers the weaknesses of both. And it lets you cross verify identity without dragging PGP’s legacy baggage into it.
Local (and remote) file storage encryption is doable with nostr too, here's an article with an early architecture, we made a lot of progress since, but I haven't made an update post yet.
Check it out and please give some feedback.
nostr:naddr1qqgrsde5xcexzvny8qerjvf3vgmkxqg3waehxw309ahx7um5wgh8w6twv5hsyg9ha45tqck7dd9p9egl6559c8s7pmgw2y5vm2f6kyd5z594tmfjlspsgqqqw4rs37vdn7
Ok, here the latest version of our architecture.
nostr:naddr1qqgxxdryxfsnxvf3xscnvdnx8pnr2qg5waen5te0xyerwt3s9cczuvf6xsurvwf0qgst0mtgkp3du662ztj3l4fgts0purksu5fgek5n4vgmg9gt2hkn9lqrqsqqqa28ajp369
