[kde-community] KDE Sysadmin and GPG Encryption
sknauss at kde.org
Tue Jul 26 14:28:59 UTC 2016
> I strongly disagree with this. While it is complicated in Ben's case, we had
> GPG signing party at the past Akademy and we can rebuild the web of trust.
> Debian works like this. We can have one at the QtCon (with also people from
> other communities including FSFE). So *signing* the announcement emails
> should not be discouraged like it is in this email.
For me DKIM is another layer of security. GPG encryption doesn't help anything
is order of verifiing it, that is correct. But I think all others mean GPG
signatures. GPG Signatures are created at the sending computer, so with a GPG
signed mail I can be sure, that the mail was not touched my anyone. DKIM
starts with the first mailserver that supports DKIM. Nobody guarantees, that
the senders mailserver is trustworthy.
@Boudhayan: Only with this this longer explainations I can understand, that
the mail shouldn't be tampered in between. But keep in mind that every
mailserver and send a mail with a fake sender mailadress and have valid DKIM.
So you would also need to verify SPF/SRS...
In the end GPG signatures would help, because they can also been used as TOFU
(trust on first use). I trust the gpg keys I get first for a mailadress,
together with the informations, that I know, that you used your key multiple
times for sending and never complains, that the key is wrong gives also a
strong security. With a key signing party we can raise the security level
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the kde-community