[kde-community] KDE Sysadmin and GPG Encryption

Ingo Klöcker kloecker at kde.org
Tue Jul 26 22:46:38 BST 2016 

On Tuesday 26 July 2016 16:01:15 Luigi Toscano wrote:
> On Tuesday, 26 July 2016 19:25:25 CEST Boudhayan Gupta wrote:
> > 2) GPG doesn't simply encrypt the email, but also digitally signs
> > it.
> > Signatures are required to prove the authenticity of the email, and
> > to detect if it was tampered with. However, given our email
> > infrastructure, a GPG signature is meaningless. Anyone can create a
> > GPG key, encrypt the email and send it out. To trust the public key,
> > it would have to be either (a) distributed in a trustable way, which
> > brings us to the same sitation as the SSH host key, (b) signed by
> > another trusted entity (a person), after a face-to-face meeting, or
> > (c) signed by members of a web of trust (which recursively requires
> > one of (a) and (b)). Given we live in such physically diverse
> > location (in fact, Ben lives in New Zealand; meeting enough KDE
> > contributors face to face willing to sign his key is prohibitvely
> > time, effort and finance consuming). If you can't establish trust
> > of a GPG public key, the signature is meaningless.
> 
> I strongly disagree with this. While it is complicated in Ben's case,
> we had GPG signing party at the past Akademy and we can rebuild the
> web of trust. Debian works like this. We can have one at the QtCon
> (with also people from other communities including FSFE). So
> *signing* the announcement emails should not be discouraged like it
> is in this email.

I very much agree with Luigi. IMHO, OpenPGP signatures are the most 
trustworthy kind of proof of authenticity (provided the key fingerprint 
has been verified in a way that's as secure as a face-to-face meeting 
and that the key's owner takes good care of her key).


I disagree that it's difficult for the admin team to verify and then 
sign Ben key. For example, I think that this could be done via a voice 
chat provided the admin team regularly does voice chats and therefore 
recognizes Ben's voice. I don't care whether Ben's really called Ben and 
lives in New Zealand. All that I care for is that the admin known to us 
as Ben has sent the announcement with the new server fingerprint. And 
this I could have asserted easily, if the admin team would have cross-
signed their OpenPGP keys and I would have verified the OpenPGP keys of 
one, or better two, admin in a keysigning meeting, e.g. at Akademy.


I agree that encrypting the public information about the server 
fingerprint would not have made any sense, but I guess that the people 
who complained actually wanted the message to be signed rather than be 
encrypted. OTOH, claiming that "GPG encryption is fundamentally broken" 
is unacceptable. GPG encryption is anything but broken (if it's used in 
the right way, i.e. to encrypt information exchanged between parties who 
have verified their OpenPGP key).


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-community/attachments/20160726/bd0f5ccf/attachment.sig>

More information about the kde-community mailing list