[kde-community] KDE Sysadmin and GPG Encryption

Sandro KnauƟ sknauss at kde.org
Tue Jul 26 14:28:59 UTC 2016


> I strongly disagree with this. While it is complicated in Ben's case, we had
> GPG signing party at the past Akademy and we can rebuild the web of trust.
> Debian works like this. We can have one at the QtCon (with also people from
> other communities including FSFE). So *signing* the announcement emails
> should not be discouraged like it is in this email.


For me DKIM is another layer of security. GPG encryption doesn't help anything 
is order of verifiing it, that is correct. But I think all others mean GPG 
signatures. GPG Signatures are created at the sending computer, so with a GPG 
signed mail I can be sure, that the mail was not touched my anyone. DKIM 
starts with the first mailserver that supports DKIM. Nobody guarantees, that 
the senders mailserver is trustworthy. 

@Boudhayan: Only with this this longer explainations I can understand, that 
the mail shouldn't be tampered in between. But keep in mind that every 
mailserver and send a mail with a fake sender mailadress and have valid DKIM. 
So you would also need to verify SPF/SRS...

In the end GPG signatures would help, because they can also been used as TOFU 
(trust on first use). I trust the gpg keys I get first for a mailadress, 
together with the informations, that I know, that you used your key multiple 
times for sending and never complains, that the key is wrong gives also a 
strong security. With a key signing party we can raise the security level 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-community/attachments/20160726/7be9dbbd/attachment.sig>

More information about the kde-community mailing list