key question

MFPA expires2010 at ymail.com
Sat Feb 27 05:55:07 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Friday 26 February 2010 at 5:04:36 PM, in
<mid:4B87FF24.3000005 at sixdemonbag.org>, Robert J. Hansen wrote:


> On 2/26/10 10:53 AM, MFPA wrote:
>> There are privacy issues, especially if user-ids on the key contain
>> email addresses.

> This isn't persuasive.  It's been hammered out tons of
> times, and no one has ever presented a strong argument
> for keeping email addresses secret.

Maybe not but there is a perceived need, as evidenced by services like
spamgourmet and all the disposable email address outfits

In any case, I've never seen a convincing argument *for* including
email addresses in the UID of a PGP key.



>> In some cases, the authorities knowing an individual
>> used encryption could be a problem.

> Why?  Because they have a key on the keyservers?

OK, as a reason not to upload somebody's key to a server without their
consent, this was poor. I suspect an individual in those circumstances
would take great care that whoever had their key knew to keep it
secure.


>> There is the issue of controlling the image that is
>> portrayed by the signatures on your key.

> That image can only be portrayed if the viewers are
> ignorant of how the WoT works.  What you are saying
> here is, "we must change the way we act in order to
> accommodate the prejudices of the ignorant."

Well, now you put it that way...



>> Other than that, how the presence of my key on a
>> keyserver foster the use of encryption when emailing
>> me?

> Speaking for myself, I've used the keyservers on
> several occasions. I'll meet someone in person, they'll
> give me their key ID and fingerprint, and then later on
> I'll pull down their key ID, verify their fingerprint,
> and then use it for communication with them.

If their key lived at their own website or on an email responder, for
example, you could still do this - except the note of the fingerprint
and key-id would also need to contain a URL.



>> What's not to agree with in my statement that not
>> everybody wants to put their keys on the keyservers?

> I don't think we agree that's your statement.  Not
> everybody believes the world is round, or that the
> Earth orbits the sun.  You can always find at least
> *one* person who believes some nonsense, and the fact
> that not *everyone* agrees is not evidence that these
> minority fringe viewpoints should be allowed to
> substantially influence mainstream usage.

OK OK, the post I was replying to when I started this stated "It is
also a good idea to send your key to the keyservers." I do not see
this statement as any kind of self-evident truth, yet I have been
thoroughly taken to task for questioning it. The keyservers are just
one of the platforms available for disseminating your key. What makes
them the *best* platform? Nothing in this thread so far has convinced
me of their supremacy.


> The fact you are arguing so passionately for this point
> of view leads me to believe you have a horse in this
> race, and that you want to persuade other people to not
> upload keys by default.

I would no more deliberately publish somebody's key without their
consent than I would pass on their phone number or address. I would
expect that to be normal, without the need to persuade anybody.



- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

No matter where you go, there you are.
-----BEGIN PGP SIGNATURE-----

iQCVAwUBS4ilsqipC46tDG5pAQq7jAQAqijYzD96kV894BFofqqpGsp8j38a8a1p
MRe6B3NQQTz9CP+rqS5Gs98aSuinMLteTqDpFKESYwOwTQbH4KXzxqxVTS5/E+u4
l75fgjo77VHQazOuPXsCjFuVvpNjhOKF3BHTYiexFebzcndLcXiNg/pAhU/OxofA
Vk1EAVOp7m8=
=R8XD
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list