key question

Paul Richard Ramer free10pro at gmail.com
Mon Mar 8 08:44:42 CET 2010 

MFPA wrote:
>> In each of these cases, John Doe made the mistake of thinking that
>> he could keep his personal information in his key, and that he could
>> keep his key off the keyservers. If John were to make the wisest
>> decision about keeping his personal informaton secret, wouldn't he
>> choose to not include this information in a key that is probable to
>> end up in a public venue?
> 
> 
> You are assuming he realised it was probable. The benefit of hindsight
> will presumably lead him to proceed differently in future. Initially,
> John may not have even known he *could* create a useable key without
> his valid email address. He might have been used to trusting his those
> in his closed circle. He might not have experienced or considered how
> easy it was to make mistakes resulting in inadvertent key upload. He
> may have read about the "keyserver-no-modify" flag and assumed the
> feature would actually protect his key from accidental or malicious
> publication.

I am assuming that a person inhabited with the desire to protect his
personal information would analyze the safety of using a UID with the
information that he wants to protect.  A person worried about the
disclosure of his personal information is unlikely to say, "Huh.  I
guess I don't have an option concerning my privacy."

I am also assuming that the user has intelligence and judgment.  If the
user is stupid and foolish, nothing can save him.  By saying that he
must have intelligence and judgment, I mean that he must be able to
realize that he needs to be competent in the tool that he is using.  How
could a person of judgment believe that he could have the minimum
knowledge of how to use cryptography and his OpenPGP tool, and believe
that he will successfully protect his privacy?

The person concerned with the releasing of his personal information
might make the mistakes that you have said.  But the kind of person that
you are talking about has minimal knowledge in OpenPGP and the tools to
implement it and has less than adequate reasoning.

I have been naive before.  But I didn't begin using GnuPGP while I was
still naive about it.  I studied how cryptography and OpenPGP worked,
how to use gpg, and how to use it with e-mail and files.

I won't claim that I am better or more knowledgeable than some of the
other smart people on this mailing list, but I will say that I am smart
enough to teach others how it works.  Actually, it was my goal to
understand the concepts and the tools well enough to teach others.

You don't have to have the most understanding in order to teach others,
but you do have to have /enough/ understanding in what you want to teach
in order to teach others.

Naivety in how to protect your privacy leads to having no privacy.  Take
for example how it is that many young people share the intimate details
of their lives on social networks, chat rooms, et cetera.  They are
naive and *foolish*.

While training these kids on how to protect their privacy could lead to
many of them abandoning such unsafe practices, this doesn't mean that
someone who already wants privacy would think that those same unsafe
practices were safe.

That is what I was saying in the previous posting.  Someone who desires
privacy will do what it takes to get it.  That includes dispelling his
naivety with knowledge.

As for the person not realizing how easy it would be to accidentally
upload a public key to a keyserver, I was never that naive.  I was aware
of it from the beginning.  My key wasn't on the keyservers, initially (I
chose to upload it later).  But I knew that if I was careless it could
wind up there.

Maybe it is that I am an above average user.  Maybe.  Maybe it is just
that I exercised judgment.  Maybe I expect others to do the same.

-Paul

--
"You are free to rip me off.  Just remember to credit me."  --self

PGP Key ID: 0x3DB6D884
PGP Fingerprint: EBA7 88B3 6D98 2D4A E045  A9F7 C7C6 6ADF 3DB6 D884

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100307/42fd9be4/attachment.pgp>

More information about the Gnupg-users mailing list