key question

MFPA expires2010 at ymail.com
Mon Mar 8 19:31:41 CET 2010 

Hi Paul


On Monday 8 March 2010 at 7:44:42 AM, you wrote:


> I am assuming that a person inhabited with the desire to protect his
> personal information would analyze the safety of using a UID with the
> information that he wants to protect.

I think you may be assuming an awful lot, especially in the case where
the person has a desire for privacy rather than a life-or-death *need*
for privacy. Such a person may well be less rigorous than yourself in
their analysis and investigations. We *are* talking about a technology
created for privacy
(http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html ).



> A person worried about the disclosure of his personal information is
> unlikely to say, "Huh. I guess I don't have an option concerning my
> privacy."

Unless their research reveals they *can* usefully create and circulate
a key that omits their name/email address, they are weighing the
privacy benefit of encrypting their mail against the privacy danger of
using a key that contains those details. That isn't quite the same as 
"I don't have an option."



> I am also assuming that the user has intelligence and judgment. 

A useful combination, sadly not common enough (-;



> I mean that he must be able to realize that he needs to be competent
> in the tool that he is using. How could a person of judgment believe
> that he could have the minimum knowledge of how to use cryptography
> and his OpenPGP tool, and believe that he will successfully protect
> his privacy?

Even intelligence and judgment together do not necessarily lead to
perfect decisions. The point when the user *thinks* he has sufficient
knowledge or competence does not automatically coincide with the point
at which this is true.



> The person concerned with the releasing of his personal information
> might make the mistakes that you have said.  But the kind of person that
> you are talking about has minimal knowledge in OpenPGP and the tools to
> implement it and has less than adequate reasoning.

I would expect an inexperienced user of *anything* to have limited
knowledge compared to an "expert," or at least to have not yet fully
reflected on and internalised the information he has acquired.

The kind of person I have described would clearly have made a poor
call in deciding they had done sufficient reading around the subject,
but I'm not convinced I have outlined a person of less than adequate
reasoning ability.



> I have been naive before.  But I didn't begin using GnuPGP while I was
> still naive about it.  I studied how cryptography and OpenPGP worked,
> how to use gpg, and how to use it with e-mail and files.

Many people are less patient than you must be; I have heard numerous 
people advocate the "ready, fire,aim" approach to life.



> I won't claim that I am better or more knowledgeable than some of the
> other smart people on this mailing list, but I will say that I am smart
> enough to teach others how it works.  Actually, it was my goal to
> understand the concepts and the tools well enough to teach others.

> You don't have to have the most understanding in order to teach others,
> but you do have to have /enough/ understanding in what you want to teach
> in order to teach others.

Yes, in my first two years at university most staff were assigned to 
teach topics outside their primary field of expertise, and switched 
around every year. The stated idea was to enable undergraduates to be 
taught by people who had recently learnt (or re-learnt) the same 
material, who would be more in tune with what a new learner would find 
difficult than the "expert" who, having been fully conversant with 
the material for several decades, would see it all as trivial.  



> That is what I was saying in the previous posting.  Someone who desires
> privacy will do what it takes to get it.  That includes dispelling his
> naivety with knowledge.

Which is an ongoing process. An individual desirous of privacy is 
likely to continue finding new threats and/or new protections for as 
long as they care to keep looking.



> As for the person not realizing how easy it would be to accidentally
> upload a public key to a keyserver, I was never that naive.  I was aware
> of it from the beginning.  My key wasn't on the keyservers, initially (I
> chose to upload it later).  But I knew that if I was careless it could
> wind up there.

Were you aware because of something you read, or because of 
experimentation?  

When first trying PGP in 2003, I read that uploading your key to a
server was a Good Thing but found no evidence to support that
assertion. I had no desire to publish my key to a server so I had no
reason to experiment with how to do it. I was genuinely shocked when,
much later, I found out how easy it was to upload keys and considered
the likelihood of mistakes. Fortunately, I had created my key without 
including my name or email address (because I could not see how 
including them could aid privacy).



> Maybe it is that I am an above average user.  Maybe.  Maybe it is just
> that I exercised judgment.  Maybe I expect others to do the same.

Maybe.

-- 
Best regards

MFPA                    mailto:expires2010 at ymail.com

Life is a holiday. In the same way that glass is a liquid.

More information about the Gnupg-users mailing list