1 |
On Sat, 2019-02-23 at 11:30 -0500, Alec Warner wrote: |
2 |
> On Sat, Feb 23, 2019 at 2:46 AM Michał Górny <mgorny@g.o> wrote: |
3 |
> |
4 |
> > On Tue, 2019-02-19 at 15:16 -0500, Rich Freeman wrote: |
5 |
> > > Also, as far as I'm aware GLEP 63 does not require an encryption key |
6 |
> > > at all, just a signing key. I'm not sure if such signing-keys will be |
7 |
> > > signed by Gentoo under this proposal. If not then there is nothing to |
8 |
> > > upload to the keyserver, and in any case it seems like the main use |
9 |
> > > case of this (sending encrypted email) would not apply. Of course it |
10 |
> > > could still be used for verifying email signatures if we sign |
11 |
> > > signing-only keys. |
12 |
> > |
13 |
> > If someone really believes it's fine to have no encryption subkey just |
14 |
> > because the GLEP doesn't require one explicitly... It either means that |
15 |
> > person is seriously lacking the technical competence, or is a horrible |
16 |
> > troll. In either case, I don't believe such a person should be a Gentoo |
17 |
> > developer. |
18 |
> > |
19 |
> |
20 |
> - Why does setting up GPG to receive encrypted messages imply technical |
21 |
> competence? |
22 |
|
23 |
The default GnuPG setup involves supporting encryption. In order not to |
24 |
support encryption, you have to actually go out of your way to create |
25 |
signing-only setup which makes no sense. |
26 |
|
27 |
> - As rich noted, most people have no idea how GPG works and they just do |
28 |
> whatever they are instructed to do. I don't think a lack of knowledge of |
29 |
> GPG indicates "being a troll" nor "lack of technical competence." Its a |
30 |
> terribly designed piece of software from a usability perspective. I |
31 |
> understand its a complex space (as many security domains are) but I'm not |
32 |
> sure the right way to proceed is to force everyone to learn the inner |
33 |
> workings of the space. The goal should be to create a system where users |
34 |
> don't have to know all the details but still get a good security value. |
35 |
> |
36 |
|
37 |
The question is: how can you actually guarantee that users that don't |
38 |
understand OpenPGP/GnuPG basics can actually comprehend the basic |
39 |
necessities of keeping their key secure? Next thing I learn is that |
40 |
people are not protecting their keys with password because |
41 |
the instructions didn't say they had to. And GnuPG *only warned*. |
42 |
|
43 |
-- |
44 |
Best regards, |
45 |
Michał Górny |