key question

[Robert J. Hansen]

On Feb 27, 2010, at 2:21 PM, MFPA wrote:
> I have always been taught to challenge the status quo. "Because that's
> the way we do it" is *never* a good reason to continue doing something
> in a particular way.

The status quo has something going for it: it works.  95% of all new ideas are awful and should be discarded.  New ideas are how the status quo changes for the better, but that doesn't mean we should throw out the status quo just because an idea comes along which happens to be new.

> My
> contention is that the de facto standard of revealing email addresses
> in key UIDs could actually be mitigating *against* the use of
> encrypted mail, by discouraging people from publishing keys or even
> from using openPGP in the first place.

It's an interesting idea, but I don't see any facts to back it up.  How many users are dissuaded?  Is this a major concern, or not a concern?  What does the published literature say about it?  And so on, and so on.

Speculation is great, but speculation isn't fact -- and we need to change the way we do things based on facts, not on speculations.  We can agree on facts, but our speculations will likely not overlap very much at all.

> That advice, coupled with the
> default configuration's enforcement of including an email address (or
> something that appears to be one) clearly has the potential to scare
> potential users from experimenting with openPGP in the first place.

The same way the shotgun in my closet clearly has the potential to be used as a murder weapon.

Potential != actuality.  All manner of potential things do not come to pass.  Before we change the way we do business, I'd like to know that we're changing to address a real problem, not merely a potential problem where no one really knows if it's a real problem or not.

The world has enough interesting problems to solve without us having to go off chasing ghosts.

> Because you suggested in an earlier post in this thread that it was
> somehow acceptable to publish somebody's key to a server without their
> consent.

I don't think I said it was "acceptable."  I would find it to be in poor taste, myself, if it were done deliberately.  However, I don't think it would amount to a moral or ethical failing.

> Because by hosting it yourself, you have control over what signatures
> and UIDs appear on the published key. Or is that just an illusion?

Illusion.

Let's say that Joe downloads your key from the web page.  Joe then syncs his entire keyring with the keyserver.  (This is a feature in PGP; you can also do the same thing with GnuPG, if you don't mind getting a little crazy with awk and sed scripts.)  Your key then gets on the server, and... etc.  Maybe Joe is doing it deliberately.  Maybe he has a misconfigured installation.  Maybe he thinks he's doing you a favor.  Whatever.  The point is, the world is full of Joes, and sooner or later your key will wind up on the server.

Once you make any public release of your key, it is only a matter of time until that key winds up on the keyserver network.  You can either keep your public key very secret and only give it to people who have need-to-know and make them sign a nondisclosure agreement written in the blood of their children, or you can accept the fact that it will be put on the keyserver and take appropriate steps.

> The collective response on this thread has indeed debunked a few myths
> for me. The main issue I'll never be converted on is the potential
> privacy problem of publishing somebody else's key to the servers.

This is an argument from emotional conviction.  That doesn't mean it's invalid or inappropriate or that you shouldn't have this response -- don't get me wrong.  I like emotions; emotions are pretty cool things.  I just don't like arguing from emotional conviction, because I either share in the response or I don't.  If I do, then you don't need to say anything because I'm already on your side.  If I don't, then you don't need to say anything because you can't persuade me into having that particular emotional response.  I either have it or I don't.

But just like there's nothing you can say to *me*, there's nothing I can say to *you*.  The instant you say "I will never be converted!", well, okay: thanks for letting me know.  I won't try to persuade you, because you've made it clear you won't be persuaded.

> If I was able to show that, those who need/want such privacy would be
> making a poor job of trying to enforce it.

So the lack of evidence is, itself, evidence?  That sounds more like a conspiracy theory.

> I don't care how many users
> this affects. For me, what matters is that any key I encounter *could*
> relate to one of them.

This is an idealistic view of the world.  I like idealism.  I admire idealism.  I just think it's impractical and destructive.

What you're saying here is, "even if the advice were sound for one million users, and destructive to the privacy of just one, I still would not change because any key I encounter could be that one."

The perfect is the enemy of the good.