Quote from: Pharmington Rex on July 23, 2013, 02:54 amThe simple rebuttal to this would be that since a buyer can determine if the vendor is using a "weak" key with relative ease (by simply analyzing the key in a PGP program), the buyer can decide whether or not to do business with the vendor. The risk tolerance in the hands of the buyer. Therefore, all that needs to be done is to show the security conscious buyers how to determine the key strength.But if they are really that risk averse and security conscious, those buyers would already know how to determine key strength (which really is a simple matter). All of which makes this effort wholly unnecessary and makes one question "why" a vendor would want to bully and "out" vendors using keys under a certain threshold of what is arguably (and demonstrably to an extent) construed as "weak." You almost make it sound as if you have *no* choice but to do business with the vendor(s) that have "weak" keys. It's basically the same sort of argument that one posits against early finalization and how SR admins should actively disallow it to "protect" buyers. As if a buyer has *no* choice at all but to finalize early. This is a free market. Emphasis on *free.* BTW, we use a 4096bit RSA/RSA key. In case you were wondering. And we don't ask or impose FE on any of our patrons. We're firm believers in the escrow system. PGP key strength is only one factor - I've been made aware of 3 vendors already using 512 bit keys which are easily breakable. On top of that, vendors are leaving metadata in images, links to real e-mails (how many I can't be sure just yet), reflections or identifying information in pictures, badly chosen PGP programs etc. These are issues many people simply do not spot when they're browsing through products and vendors. I am on a mission to crucify those vendors who disregard good advice or secure practices because quite simply it isn't their information to mishandle, even if the buyer doesn't encrypt their address as most people simply do not have the time, resources or money to full check out vendors like I can - don't think this project is coming cheap to me.This is a free market yes, but we are offering people a better choice. 2048 bit keys pass as secure yes, but I am saying 4096 is better although I am not going to make a big deal if that is it, I will just mention it and they won't be shamed for that simply because that isn't a problem, SR staff have a 2048 bit key. Fast forward 20 years when it is breakable though, do you want historical crimes against your name? I am in this for those who don't know enough to properly protect themselves, not for vendors and I've already made a few enemies but that doesn't bother me. Some of the top 1-5% guys are going to get hammered though quite soon.