key question

[Robert J. Hansen]

On 2/26/10 11:55 PM, MFPA wrote:
> Maybe not but there is a perceived need, as evidenced by services
> like spamgourmet and all the disposable email address outfits

There is a perceived need for $150 bowls of soup, as evidenced by dozens
of high-priced gourmet restaurants in major cities.  The existence of a
market for a service is not evidence that the service is generally
useful or needed.

> In any case, I've never seen a convincing argument *for* including 
> email addresses in the UID of a PGP key.

First, the status quo doesn't need arguments in its favor.  The status
quo exists.  *Changing* the status quo is what requires arguments in its
favor.

Second, then you don't have to include it in yours.  Why are you
bringing this up?  I don't care what your UID is, and I don't want you
to have a vote in whether I put an email address in mine.

> If their key lived at their own website or on an email responder,
> for example, you could still do this - except the note of the
> fingerprint and key-id would also need to contain a URL.

In which case you're still hosting it publicly, so why not use the
keyservers?

> OK OK, the post I was replying to when I started this stated "It is 
> also a good idea to send your key to the keyservers." I do not see 
> this statement as any kind of self-evident truth, yet I have been 
> thoroughly taken to task for questioning it.

This is not "taking you to task."  This is listening to your claims, and
giving strong arguments against them.

My father is a judge.  Growing up, if I were to assert the sky was blue
he would ask how I knew the sky was blue.  (No, I'm not kidding.)  It's
a weird way to grow up, but it's served me very well in my life.  All
claims must be scrutinized and examined.  If they survive the scrutiny,
good.  If they don't, then let's make note of them and remember not to
waste time on these claims in the future.

> The keyservers are just one of the platforms available for
> disseminating your key. What makes them the *best* platform?

You've set up a straw man.  Nobody is arguing the keyserver network is
the best platform.  What is best will depend on each person's individual
valuation of the many factors that go into this question.

That said, it is broadly true that it's a good idea to send keys to the
keyserver network.  The reasons why have already been well-explained.
Your reasons why not are either unfounded or debunked.

In your voluminous defense of privacy rights, you've not given any
numbers for what fraction of users need or want to keep their public
keys private.  If you're arguing that the "good idea" we've advocated is
not a good idea, you need to show there are substantial numbers of users
who will be negatively impacted.  You haven't.

You've talked about the danger of reputation being slandered by
implication of association: but as David Shaw has pointed out, if
someone wants to do that there are much easier ways to do it than with keys.

You've talked about making it easy for law enforcement to learn who
communicates securely with whom: but as I've said, law enforcement (at
least in the US, and probably also the UK) has much easier ways to learn
this.

You've talked about spam: but as John Clizbe has pointed out, although
keyservers do get harvested for addresses there is no statistically
significant difference in the spamflood between putting a key on the
server or keeping it private.  You'd have to ask him about his
methodology and his precise numbers, but I'm sure he'd be willing to
provide them if you asked.  (I used to share your concerns about spam,
up until John showed me his numbers and convinced me.)

The status quo is, "it is generally a good idea to send your key to the
keyserver network."  If you want to change that, the burden is on you to
present persuasive evidence supporting a change.  So far I've not seen
it, which means the status quo stands.