Ok. The issue with using the Posting Key is that many frontends, such as Peakd, require the Posting Key. I believe others, such as 3Speak, also require posting authority over everyone that uses their frontend, but I know that Peakd does need it. So, all Peakd users are vulnerable to Peakd, or anyone with access to Peakd's stored user Posting Keys, and any other frontend on Hive that also uses the Posting Key authority of their users, can send encrypted messages as the user, and can update their Public Post-Quantum Key.
Unless I misunderstood and the Memo Key is also required for those transactions, which "The Memo Key is used as an additional security element, alongside the Post-Quantum Key, to encrypt messages." does seem to indicate.
I do not know of a frontend requiring access to the Memo Key at this time, so if both the Posting Key and the Memo Key are required for all operations the Posting Key is used for, then I do not think there is a security problem. If the Posting Key alone is used for any of these transactions, that's a problem.
Thanks!
RE: Introducing Hive-Mail, a new, quantum-resistant messaging protocol on Hive