On Sat, 2019-02-23 at 11:30 -0500, Alec Warner wrote: > On Sat, Feb 23, 2019 at 2:46 AM Michał Górny wrote: > > > On Tue, 2019-02-19 at 15:16 -0500, Rich Freeman wrote: > > > Also, as far as I'm aware GLEP 63 does not require an encryption key > > > at all, just a signing key. I'm not sure if such signing-keys will be > > > signed by Gentoo under this proposal. If not then there is nothing to > > > upload to the keyserver, and in any case it seems like the main use > > > case of this (sending encrypted email) would not apply. Of course it > > > could still be used for verifying email signatures if we sign > > > signing-only keys. > > > > If someone really believes it's fine to have no encryption subkey just > > because the GLEP doesn't require one explicitly... It either means that > > person is seriously lacking the technical competence, or is a horrible > > troll. In either case, I don't believe such a person should be a Gentoo > > developer. > > > > - Why does setting up GPG to receive encrypted messages imply technical > competence? The default GnuPG setup involves supporting encryption. In order not to support encryption, you have to actually go out of your way to create signing-only setup which makes no sense. > - As rich noted, most people have no idea how GPG works and they just do > whatever they are instructed to do. I don't think a lack of knowledge of > GPG indicates "being a troll" nor "lack of technical competence." Its a > terribly designed piece of software from a usability perspective. I > understand its a complex space (as many security domains are) but I'm not > sure the right way to proceed is to force everyone to learn the inner > workings of the space. The goal should be to create a system where users > don't have to know all the details but still get a good security value. > The question is: how can you actually guarantee that users that don't understand OpenPGP/GnuPG basics can actually comprehend the basic necessities of keeping their key secure? Next thing I learn is that people are not protecting their keys with password because the instructions didn't say they had to. And GnuPG *only warned*. -- Best regards, Michał Górny