Hey, > I strongly disagree with this. While it is complicated in Ben's case, we had > GPG signing party at the past Akademy and we can rebuild the web of trust. > Debian works like this. We can have one at the QtCon (with also people from > other communities including FSFE). So *signing* the announcement emails > should not be discouraged like it is in this email.
+1 For me DKIM is another layer of security. GPG encryption doesn't help anything is order of verifiing it, that is correct. But I think all others mean GPG signatures. GPG Signatures are created at the sending computer, so with a GPG signed mail I can be sure, that the mail was not touched my anyone. DKIM starts with the first mailserver that supports DKIM. Nobody guarantees, that the senders mailserver is trustworthy. @Boudhayan: Only with this this longer explainations I can understand, that the mail shouldn't be tampered in between. But keep in mind that every mailserver and send a mail with a fake sender mailadress and have valid DKIM. So you would also need to verify SPF/SRS... In the end GPG signatures would help, because they can also been used as TOFU (trust on first use). I trust the gpg keys I get first for a mailadress, together with the informations, that I know, that you used your key multiple times for sending and never complains, that the key is wrong gives also a strong security. With a key signing party we can raise the security level additionally. regards, sandro
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ kde-community mailing list [email protected] https://mail.kde.org/mailman/listinfo/kde-community
