I skimmed this and a couple things jumped out at me. 1) PGP and S/MIME because of their use of long term keys do not provide forward secrecy. Which can makes it worth while to cryptographically factor a key or to obtain knowledge of a private key without the key holders knowledge. As the keys will be used again and again over a long period of time. More recent protocol's such as Signal's Double Ratchet Protocol enable forward secrecy for store and foward communications, and remove the problem of long term keys. 2) The existence of such a process with encrypted communications to ensure long term confidentiality is going to make our contact people the targets of people who want access to knolwedge about hardware bugs like meltdown, before they become public. I am just mentioning these things in case they are not immediately obvious to everyone else involved, so that people can be certain they are comfortable with the tradeoffs being made. Eric
