From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 00766138334 for ; Sat, 23 Feb 2019 16:30:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8C44EE0959; Sat, 23 Feb 2019 16:30:26 +0000 (UTC) Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2515DE0955 for ; Sat, 23 Feb 2019 16:30:25 +0000 (UTC) Received: by mail-lj1-x236.google.com with SMTP id z7so3877575lji.0 for ; Sat, 23 Feb 2019 08:30:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gentoo-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=fvdUDOgdiqnqvvPlpvlRsCiYhJvhyXjVsEMHt8CO1wM=; b=l83qvtO69LC4iy/yHEPf97KrSYcKv7X8l4hqTXS4NpqF2KVvNlJODJ+GbTez1yw6Aa 01zlfm0KgVenHsudRLFrgfVXoCRdMDqELrLGsT/3PC5z5Jjg303HwqXYOq6DJkJfpN4T 1yD+xVpeK3193EKIIHTsZVbdUzp0unpHFCvfzIyI0pb78lkUptzzwg6FlQx8BNrSiD87 jexH26pSLy7RYOxoXPSr3rsurAg2TEupjoInpT5XLQBZXTlCIvqEIUft//ab7c3GhZpe Tsh3VJGUU+/FVoYZaTODe8r+gefyOiX0gPxrDcwhm+FEHXqoVyqzq8Sz7A+MSiK3ry7O Jy9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=fvdUDOgdiqnqvvPlpvlRsCiYhJvhyXjVsEMHt8CO1wM=; b=oCguFHVVKGZPPylRMGNsyE/CCbEG/CXC83q8j9XohLsOtLzMxewd6rjlYtvmNRqOAr 2Q7BNp0jDhszs70aESMmlxHRXKLZ10ABw9pzVcfnsMsHVrztmYQUZ/00fiBBqNo2Ia9a fzcCChOrjJZfz0+XwN0GCUqtnuqyymaDlq2pgOBgCdNRrDmWAX2wlC+V4tx7erYPpQiD PecCYFxVDuD7lRF9rGMC+Qd3fxxxN9a2WlQ1qpIPglCTWfjDyh0XuRu9VWY4U0OxOkhl L6ylUCQ7lfqeN9+ZvC7XM1KHxnn3rA5RAXWto9Xd/KUX26HNvM6csTuUTRYQO/qpfuAo MmPQ== X-Gm-Message-State: AHQUAubIj9xOfSSJNh4Kyb5rP+VQSEOQkEWavKU21YEU+v6cvWM/BLx+ 2kcJ3ZbV952TB4zABKIHLfciVVXJ+rnXiDXC/PJySyGcDF4= X-Google-Smtp-Source: AHgI3Ibi5uhyjMeFXhbFqidstlr77f+nX4t4mGL4wOgPhjB7vw/8diAM7GzBOs/wfvOR+sv6L+pdwTVo2+iXriJUeOg= X-Received: by 2002:a2e:9dda:: with SMTP id x26mr5302922ljj.53.1550939423353; Sat, 23 Feb 2019 08:30:23 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <1550306421.831.16.camel@gentoo.org> <1550393754.1257.5.camel@gentoo.org> <20190217185416.nbgwm266moyk6j2u@gentoo.org> <1550496176.727.9.camel@gentoo.org> <1550606478.912.10.camel@gentoo.org> <1550907966.752.2.camel@gentoo.org> In-Reply-To: <1550907966.752.2.camel@gentoo.org> From: Alec Warner Date: Sat, 23 Feb 2019 11:30:12 -0500 Message-ID: Subject: Re: [gentoo-project] [RFC] OpenPGP Authority Keys to provide validity of developer/service keys To: gentoo-project Content-Type: multipart/alternative; boundary="00000000000065c853058292399f" X-Archives-Salt: 745333bd-7d94-4384-9058-849e15f7f972 X-Archives-Hash: 4dee52209a715ec038fd82329a647e0d --00000000000065c853058292399f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, Feb 23, 2019 at 2:46 AM Micha=C5=82 G=C3=B3rny = wrote: > On Tue, 2019-02-19 at 15:16 -0500, Rich Freeman wrote: > > Also, as far as I'm aware GLEP 63 does not require an encryption key > > at all, just a signing key. I'm not sure if such signing-keys will be > > signed by Gentoo under this proposal. If not then there is nothing to > > upload to the keyserver, and in any case it seems like the main use > > case of this (sending encrypted email) would not apply. Of course it > > could still be used for verifying email signatures if we sign > > signing-only keys. > > If someone really believes it's fine to have no encryption subkey just > because the GLEP doesn't require one explicitly... It either means that > person is seriously lacking the technical competence, or is a horrible > troll. In either case, I don't believe such a person should be a Gentoo > developer. > - Why does setting up GPG to receive encrypted messages imply technical competence? - As rich noted, most people have no idea how GPG works and they just do whatever they are instructed to do. I don't think a lack of knowledge of GPG indicates "being a troll" nor "lack of technical competence." Its a terribly designed piece of software from a usability perspective. I understand its a complex space (as many security domains are) but I'm not sure the right way to proceed is to force everyone to learn the inner workings of the space. The goal should be to create a system where users don't have to know all the details but still get a good security value. -A > > -- > Best regards, > Micha=C5=82 G=C3=B3rny > --00000000000065c853058292399f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Sat, Feb 23, 2019 at 2:46 AM Micha= =C5=82 G=C3=B3rny <mgorny@gentoo.or= g> wrote:
On Tue, 2019-02-19 at 15:16 -0500, Rich Freeman wrote:
> Also, as far as I'm aware GLEP 63 does not require an encryption k= ey
> at all, just a signing key.=C2=A0 I'm not sure if such signing-key= s will be
> signed by Gentoo under this proposal.=C2=A0 If not then there is nothi= ng to
> upload to the keyserver, and in any case it seems like the main use > case of this (sending encrypted email) would not apply.=C2=A0 Of cours= e it
> could still be used for verifying email signatures if we sign
> signing-only keys.

If someone really believes it's fine to have no encryption subkey just<= br> because the GLEP doesn't require one explicitly...=C2=A0 It either mean= s that
person is seriously lacking the technical competence, or is a horrible
troll.=C2=A0 In either case, I don't believe such a person should be a = Gentoo
developer.

- Why does setting up GPG to= receive encrypted messages imply technical competence?

- As rich noted, most people have no idea how GPG works and they just= do whatever they are instructed to do. I don't think a lack of knowled= ge of GPG indicates "being a troll" nor "lack of technical c= ompetence." Its a terribly designed piece of software from a usability= perspective. I understand its a complex space (as many security domains ar= e) but I'm not sure the right way to proceed is to force everyone to le= arn the inner workings of the space. The goal should be to create a system = where users don't have to know all the details but still get a good sec= urity value.

-A
=C2=A0

--
Best regards,
Micha=C5=82 G=C3=B3rny
--00000000000065c853058292399f--