key question

MFPA expires2010 at
Fri Feb 26 22:03:14 CET 2010

Hash: SHA512

Hi Grant

On Friday 26 February 2010 at 6:30:16 PM, you wrote:

> As a practical matter, even if your contacts agree to respect your
> wishes, it's still pretty easy for them to accidentally send it to
> the keyservers. Perhaps mis-typing a command when they try to upload
> their own key. Perhaps clicking the wrong button. Perhaps because
> they just don't really know how gpg works and start typing random
> commands.

Yes, for example in GPGshell, "Send to Key-server" and "Update from
Key-server" are adjacent context menu items. And the submenus that
they generate are almost identical, so it is easy to not spot if you
have clicked the wrong one.

I also would prefer it if GPG itself asked for confirmation of action
(including displaying the key-ID and user-IDs) for the --send-keys
command, with the assumption of "no" unless you typed "y"

> From a practical perspective, whether it's right or wrong, you've got to
> assume that if they can, they will,

But you may still wish they didn't and couldn't (-;

> and that key will be out there forever.

Yes, unfortunately.

>  One of the reasons to use public/private key encryption is
> because you don't always trust the other parties to do the correct thing.

> So if you are worried about the keyservers having information that could
> somehow implicate you in whatever, you'd need to obfuscate your UID, as
> you mentioned in another post.  Asking people not to publish the key
> doesn't offer any real protection.  And if you've done that, you might
> as well publish the key yourself.

Not including your name or your email address in the UID offers
protection against the accidental upload scenario. But somebody could
still generate a key with a UID suggesting nefarious activities, sign
your key with it, and upload it. Or their UID could simply identify
whose was the key with the obfuscated UID.

- --
Best regards

MFPA                    mailto:expires2010 at

If you can't convince them, confuse them.


More information about the Gnupg-users mailing list