| 1 |
On Sat, 2019-02-23 at 11:30 -0500, Alec Warner wrote: |
| 2 |
> On Sat, Feb 23, 2019 at 2:46 AM Michał Górny <mgorny@g.o> wrote: |
| 3 |
> |
| 4 |
> > On Tue, 2019-02-19 at 15:16 -0500, Rich Freeman wrote: |
| 5 |
> > > Also, as far as I'm aware GLEP 63 does not require an encryption key |
| 6 |
> > > at all, just a signing key. I'm not sure if such signing-keys will be |
| 7 |
> > > signed by Gentoo under this proposal. If not then there is nothing to |
| 8 |
> > > upload to the keyserver, and in any case it seems like the main use |
| 9 |
> > > case of this (sending encrypted email) would not apply. Of course it |
| 10 |
> > > could still be used for verifying email signatures if we sign |
| 11 |
> > > signing-only keys. |
| 12 |
> > |
| 13 |
> > If someone really believes it's fine to have no encryption subkey just |
| 14 |
> > because the GLEP doesn't require one explicitly... It either means that |
| 15 |
> > person is seriously lacking the technical competence, or is a horrible |
| 16 |
> > troll. In either case, I don't believe such a person should be a Gentoo |
| 17 |
> > developer. |
| 18 |
> > |
| 19 |
> |
| 20 |
> - Why does setting up GPG to receive encrypted messages imply technical |
| 21 |
> competence? |
| 22 |
|
| 23 |
The default GnuPG setup involves supporting encryption. In order not to |
| 24 |
support encryption, you have to actually go out of your way to create |
| 25 |
signing-only setup which makes no sense. |
| 26 |
|
| 27 |
> - As rich noted, most people have no idea how GPG works and they just do |
| 28 |
> whatever they are instructed to do. I don't think a lack of knowledge of |
| 29 |
> GPG indicates "being a troll" nor "lack of technical competence." Its a |
| 30 |
> terribly designed piece of software from a usability perspective. I |
| 31 |
> understand its a complex space (as many security domains are) but I'm not |
| 32 |
> sure the right way to proceed is to force everyone to learn the inner |
| 33 |
> workings of the space. The goal should be to create a system where users |
| 34 |
> don't have to know all the details but still get a good security value. |
| 35 |
> |
| 36 |
|
| 37 |
The question is: how can you actually guarantee that users that don't |
| 38 |
understand OpenPGP/GnuPG basics can actually comprehend the basic |
| 39 |
necessities of keeping their key secure? Next thing I learn is that |
| 40 |
people are not protecting their keys with password because |
| 41 |
the instructions didn't say they had to. And GnuPG *only warned*. |
| 42 |
|
| 43 |
-- |
| 44 |
Best regards, |
| 45 |
Michał Górny |
Archives