[kde-community] KDE Sysadmin and GPG Encryption

[Sandro Knauß]

Hey,

> I strongly disagree with this. While it is complicated in Ben's case, we had
> GPG signing party at the past Akademy and we can rebuild the web of trust.
> Debian works like this. We can have one at the QtCon (with also people from
> other communities including FSFE). So *signing* the announcement emails
> should not be discouraged like it is in this email.

+1 

For me DKIM is another layer of security. GPG encryption doesn't help anything 
is order of verifiing it, that is correct. But I think all others mean GPG 
signatures. GPG Signatures are created at the sending computer, so with a GPG 
signed mail I can be sure, that the mail was not touched my anyone. DKIM 
starts with the first mailserver that supports DKIM. Nobody guarantees, that 
the senders mailserver is trustworthy. 

@Boudhayan: Only with this this longer explainations I can understand, that 
the mail shouldn't be tampered in between. But keep in mind that every 
mailserver and send a mail with a fake sender mailadress and have valid DKIM. 
So you would also need to verify SPF/SRS...

In the end GPG signatures would help, because they can also been used as TOFU 
(trust on first use). I trust the gpg keys I get first for a mailadress, 
together with the informations, that I know, that you used your key multiple 
times for sending and never complains, that the key is wrong gives also a 
strong security. With a key signing party we can raise the security level 
additionally.

regards,

sandro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-community/attachments/20160726/7be9dbbd/attachment.sig>