expires2010 at ymail.com
Fri Feb 26 22:03:14 CET 2010
-----BEGIN PGP SIGNED MESSAGE-----
On Friday 26 February 2010 at 6:30:16 PM, you wrote:
> As a practical matter, even if your contacts agree to respect your
> wishes, it's still pretty easy for them to accidentally send it to
> the keyservers. Perhaps mis-typing a command when they try to upload
> their own key. Perhaps clicking the wrong button. Perhaps because
> they just don't really know how gpg works and start typing random
Yes, for example in GPGshell, "Send to Key-server" and "Update from
Key-server" are adjacent context menu items. And the submenus that
they generate are almost identical, so it is easy to not spot if you
have clicked the wrong one.
I also would prefer it if GPG itself asked for confirmation of action
(including displaying the key-ID and user-IDs) for the --send-keys
command, with the assumption of "no" unless you typed "y"
> From a practical perspective, whether it's right or wrong, you've got to
> assume that if they can, they will,
But you may still wish they didn't and couldn't (-;
> and that key will be out there forever.
> One of the reasons to use public/private key encryption is
> because you don't always trust the other parties to do the correct thing.
> So if you are worried about the keyservers having information that could
> somehow implicate you in whatever, you'd need to obfuscate your UID, as
> you mentioned in another post. Asking people not to publish the key
> doesn't offer any real protection. And if you've done that, you might
> as well publish the key yourself.
Not including your name or your email address in the UID offers
protection against the accidental upload scenario. But somebody could
still generate a key with a UID suggesting nefarious activities, sign
your key with it, and upload it. Or their UID could simply identify
whose was the key with the obfuscated UID.
MFPA mailto:expires2010 at ymail.com
If you can't convince them, confuse them.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users