I would avoid reading much, if anything at all, into what Boudhayan
wrote, both from the perspective of the sysadmin team and even Boudhayan
himself.
--Jeff
On 7/26/2016 5:46 PM, Ingo Klöcker wrote:
On Tuesday 26 July 2016 16:01:15 Luigi Toscano wrote:
On Tuesday, 26 July 2016 19:25:25 CEST Boudhayan Gupta wrote:
2) GPG doesn't simply encrypt the email, but also digitally signs
it.
Signatures are required to prove the authenticity of the email, and
to detect if it was tampered with. However, given our email
infrastructure, a GPG signature is meaningless. Anyone can create a
GPG key, encrypt the email and send it out. To trust the public key,
it would have to be either (a) distributed in a trustable way, which
brings us to the same sitation as the SSH host key, (b) signed by
another trusted entity (a person), after a face-to-face meeting, or
(c) signed by members of a web of trust (which recursively requires
one of (a) and (b)). Given we live in such physically diverse
location (in fact, Ben lives in New Zealand; meeting enough KDE
contributors face to face willing to sign his key is prohibitvely
time, effort and finance consuming). If you can't establish trust
of a GPG public key, the signature is meaningless.
I strongly disagree with this. While it is complicated in Ben's case,
we had GPG signing party at the past Akademy and we can rebuild the
web of trust. Debian works like this. We can have one at the QtCon
(with also people from other communities including FSFE). So
*signing* the announcement emails should not be discouraged like it
is in this email.
I very much agree with Luigi. IMHO, OpenPGP signatures are the most
trustworthy kind of proof of authenticity (provided the key fingerprint
has been verified in a way that's as secure as a face-to-face meeting
and that the key's owner takes good care of her key).
I disagree that it's difficult for the admin team to verify and then
sign Ben key. For example, I think that this could be done via a voice
chat provided the admin team regularly does voice chats and therefore
recognizes Ben's voice. I don't care whether Ben's really called Ben and
lives in New Zealand. All that I care for is that the admin known to us
as Ben has sent the announcement with the new server fingerprint. And
this I could have asserted easily, if the admin team would have cross-
signed their OpenPGP keys and I would have verified the OpenPGP keys of
one, or better two, admin in a keysigning meeting, e.g. at Akademy.
I agree that encrypting the public information about the server
fingerprint would not have made any sense, but I guess that the people
who complained actually wanted the message to be signed rather than be
encrypted. OTOH, claiming that "GPG encryption is fundamentally broken"
is unacceptable. GPG encryption is anything but broken (if it's used in
the right way, i.e. to encrypt information exchanged between parties who
have verified their OpenPGP key).
Regards,
Ingo
_______________________________________________
kde-community mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/kde-community
_______________________________________________
kde-community mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/kde-community
