From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 759A5138334 for ; Sat, 23 Feb 2019 17:08:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0B094E095F; Sat, 23 Feb 2019 17:08:51 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A9100E0956 for ; Sat, 23 Feb 2019 17:08:50 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 6258133BEA7; Sat, 23 Feb 2019 17:08:48 +0000 (UTC) Message-ID: <1550941718.737.3.camel@gentoo.org> Subject: Re: [gentoo-project] [RFC] OpenPGP Authority Keys to provide validity of developer/service keys From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-project@lists.gentoo.org Date: Sat, 23 Feb 2019 18:08:38 +0100 In-Reply-To: References: <1550306421.831.16.camel@gentoo.org> <1550393754.1257.5.camel@gentoo.org> <20190217185416.nbgwm266moyk6j2u@gentoo.org> <1550496176.727.9.camel@gentoo.org> <1550606478.912.10.camel@gentoo.org> <1550907966.752.2.camel@gentoo.org> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-AYWsfePznA19N0QMow+T" X-Mailer: Evolution 3.26.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 X-Archives-Salt: 610cdb9a-4865-423f-8520-1058729adb96 X-Archives-Hash: 6c39482adde0deece44c777f82e1cba3 --=-AYWsfePznA19N0QMow+T Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2019-02-23 at 11:30 -0500, Alec Warner wrote: > On Sat, Feb 23, 2019 at 2:46 AM Micha=C5=82 G=C3=B3rny wrote: >=20 > > On Tue, 2019-02-19 at 15:16 -0500, Rich Freeman wrote: > > > Also, as far as I'm aware GLEP 63 does not require an encryption key > > > at all, just a signing key. I'm not sure if such signing-keys will b= e > > > signed by Gentoo under this proposal. If not then there is nothing t= o > > > upload to the keyserver, and in any case it seems like the main use > > > case of this (sending encrypted email) would not apply. Of course it > > > could still be used for verifying email signatures if we sign > > > signing-only keys. > >=20 > > If someone really believes it's fine to have no encryption subkey just > > because the GLEP doesn't require one explicitly... It either means tha= t > > person is seriously lacking the technical competence, or is a horrible > > troll. In either case, I don't believe such a person should be a Gento= o > > developer. > >=20 >=20 > - Why does setting up GPG to receive encrypted messages imply technical > competence? The default GnuPG setup involves supporting encryption. In order not to support encryption, you have to actually go out of your way to create signing-only setup which makes no sense. > - As rich noted, most people have no idea how GPG works and they just do > whatever they are instructed to do. I don't think a lack of knowledge of > GPG indicates "being a troll" nor "lack of technical competence." Its a > terribly designed piece of software from a usability perspective. I > understand its a complex space (as many security domains are) but I'm not > sure the right way to proceed is to force everyone to learn the inner > workings of the space. The goal should be to create a system where users > don't have to know all the details but still get a good security value. >=20 The question is: how can you actually guarantee that users that don't understand OpenPGP/GnuPG basics can actually comprehend the basic necessities of keeping their key secure? Next thing I learn is that people are not protecting their keys with password because the instructions didn't say they had to. And GnuPG *only warned*. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-AYWsfePznA19N0QMow+T Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEXr8g+Zb7PCLMb8pAur8dX/jIEQoFAlxxfhZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVF QkYyMEY5OTZGQjNDMjJDQzZGQ0E0MEJBQkYxRDVGRjhDODExMEEACgkQur8dX/jI EQocKRAA3qcWJnhyVJ901lFlZE+xwXRjXba8YfOMy8GqnA6Yu92OYyAXxkI21y13 vpbODPqCQmHbq7Up7G2L5fZ0yqfro7wYUmlSixDr6JfPJM8T3fuB6H7qRP+hzwvy dQ8QA0oXlrMSj7W1ixt36wb0zp5tKfJ4gQ3ezxx2s6MAfbU5Bo/+CIZ7T6MRFnJI nBPCCTfFUv04HEM9QFjtkC8P96b0rgQkkIz8OvvmTVxssZaaW3ds/cjRAUb1txp+ 6yp2sGd6g4MiV5aAWYwThDJXvqKlikBML37aYabigjnn1dZbl/eNRYKIq4JmkNCy /z8fJw1wG4bUerHJrmoPXVgFMMDylzoTh82oIDnhTlqdy6s2cQlx/3VpxsiLYUy6 eQs4LHxijxsDZerAoWt15uFWOxjbQPWWyJqQGxbijRsWrvX+q6x1QZBqrNpPIzVf L7QeE6iUDS6/PAx6u6MtyviB37skBwQWUmYDI8MAvnNem/JfRHrA0x7DmtCGFoOM Obkp58otm6w7qbD4kztsMXi/LRiYGvdWLAnpSTikRkWmGPJHF5/yDSkXtY3nWtKz 8p+zbFaLdRwHVfrRGXlnll10snFpyr+wgVa1vp86uzQ+J7UticE0vA1Iv3ps6CKN REPwG7AbWQ5eDoYhrR5pZzS+tkdh8VrBn1sMw+NaQIfSlM7Ey7c= =KwB/ -----END PGP SIGNATURE----- --=-AYWsfePznA19N0QMow+T--