key question

Robert J. Hansen rjh at
Fri Feb 26 22:14:58 CET 2010

On 2/26/10 3:14 PM, MFPA wrote:
> But if it bears only a slight resemblance to a duck, it is probably 
> *not* a duck.

You are asserting that (a) the person who created the public key owns
the information, (b) the person owns the information has the right to
control how it is disseminated, and (c) that if someone shares the
information in violation of the owner's wishes they are doing something
morally and/or legally wrong.

You have to assert (a).  Ownership is the legal and/or moral right to
control how a resource is utilized.  I own my car because I have the
legal and moral right to control who drives it.  You are claiming the
originator of the key material has the legal and moral right to control
how it is disseminated: therefore, you are making a claim the originator
of the key *owns* the information contained in that key.

You have to assert (b).  It follows logically from (a).  (a) implies (b).

And you are asserting (c).  You're dressing it up in polite rhetoric
about the right to privacy, but at the end of the day you're asserting
that people are doing something wrong if they violate the information
owner's wishes.

In other words, you're in the same boat as the MPAA.  Looks like a duck,
swims like a duck, quacks like a duck: it's a duck.

> The reasonable expectation that somebody will extend the common 
> courtesy of checking with the owner before publishing their key
> falls somewhat short of the owner having total control over their
> key.

You are presupposing the expectation is reasonable.  I am not willing to
grant that as a given.

> I think personally-identifiable information, including an
> individual's openPGP key, should not be made public without the
> consent of the individual ... I think it is a reasonable expectation
> that the key owner would have uploaded their key to the keyservers
> themselves if they wanted it to be there.

Again, you are begging the question.  We're trying to figure out whether
it is reasonable to expect people to keep public keys secret without the
owner's permission.  What you're saying here is, "it's reasonable
because I think it is reasonable."  You're assuming the truth of the
proposition in question, and using it to try and establish the truth of
the proposition in question.

> If the key is not already on the servers, that is a pretty strong
> indicator that the key owner wants it that way.

It's an indicator the key owner has not uploaded it to that network.
For instance, what if the key has been uploaded to PGP's keyserver
(which, last I checked, did not sync with the network, but is publicly
accessible), but not the global network?  Is that evidence the key owner
wants it publicized, but just not publicized on the global network?
Etc., etc.  There are a *ton* of edge cases here.

The absence of a key on the keyserver network is, itself, only evidence
that it's not there.  It doesn't show motive, any more than my having a
shotgun in my closet shows my motive to commit murder.

> I don't understand your comment. It's not unlawful for the
> individual to share their own information. It would be unlawful for
> the recipient of that information to share it with others without
> consent from the individual

I am unaware of your qualifications to talk about universally-applicable
law.  I cannot accept your expert opinion on this subject without it
first being established that you are an expert.

More information about the Gnupg-users mailing list