key question

[MFPA]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 27 February 2010 at 4:22:27 PM, in
<mid:4B8946C3.5050607 at sixdemonbag.org>, Robert J. Hansen wrote:



> His position seems to have shifted.

As the thread has progressed, the posts I'm replying to have shifted
from "It is a good idea to send your key to the keyservers," to an
assertion that it's also a good idea to publish other people's keys
whether they want them published or not.


> At some points he's said,

> "What's not to agree with in my statement that not
> everybody wants to put their keys on the keyservers?"

> I fully agree with this.  However, he also seems to be
> advocating the advice of "generally speaking, it's a
> good idea to put keys on the keyservers" be changed to
> "generally speaking, it's not a good idea to share
> public keys without the key owner's explicit
> permission."

> This is a pretty big change in the conventional wisdom.
> Before I'll sign on to that I'll have to see some
> strong reasoning, and I haven't.

>> It seems (and I could be utterly wrong), that MFPA is
>> saying "Not  everyone wants their key on the
>> keyservers, so please don't  automatically send other
>> people's keys there.  If the key owner wants the key
>> on the keyservers, he'll send it himself."

That is exactly what I am saying. Most peoples keys contain personal
contact details and the decision to place that information in the
public domain rests solely with the person whose details they are.



> MFPA has made it clear his objection applies to any
> kind of sharing of public keys without the owner's
> consent.  It's not limited to the keyserver network.
> He considers it the equivalent of passing on someone's
> home address to a complete stranger.  ("I would no more
> deliberately publish somebody's key without their
> consent than I would pass on their phone number or
> address.")

Pretty much, yes. Not forgetting the possible legal implications under
data protection legislation in the EU and other places.



> "the keyservers are generally a good idea, and
> generally speaking they should be used, and people
> should expect their public keys will wind up on them
> sooner or later, either through their direct action or
> through the accidents of others."

> It is not universally applicable advice, but I think
> that as far as general advice goes it's pretty good.

I don't think it is bad advice when put like that. Maybe the person
being advised could be pointed to a summary discussion of pros and
cons, and of alternatives to keyservers - but that would probably be
information overload.

It is definitely good advice to bear in mind that your key may well
end up on a keyserver whether you want it to or not. That will feed
into the decision of what information to include in your UIDs.

I find the attitude that it is OK to publicise somebody else's details
without consent abhorrent, and suggestive of a disregard for other
people's privacy.

Given the importance of personal privacy, it seems to me that it's too
easy to accidentally upload the wrong key to a server. I'm not sure if
anything could usefully be changed to address this; even if people
read confirmations before pressing "y" when using GnuPG, such mistakes
are all-too-easy in other packages and front-ends as well.


- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

The problem is not that we're paranoid;
it's that we're not paranoid enough.
-----BEGIN PGP SIGNATURE-----

iQCVAwUBS4mDJqipC46tDG5pAQoYzgP/WP6E+qDRzfdwTVCXrcvXgONsVvXhCAQ8
3FJVYb/TeoLVcm26J88IBQvhECsoI+4RBcMgRVBwXTn0KU8E5PUF+4Or5d3NpuNp
RkmuPPOlNUfj6xqMRkylm5pe9kYI8UvDnEGlEOy0XonDJ1Mfq/4aZHpJvy5NHmaK
P+aRJ+1cjaE=
=NiBO
-----END PGP SIGNATURE-----