key question

MFPA expires2010 at
Mon Mar 8 22:38:18 CET 2010

Hash: SHA512

Hi Paul

On Monday 8 March 2010 at 5:35:08 AM, you wrote:

> MFPA wrote:
>> On Saturday 6 March 2010 at 8:55:48 AM, you wrote:
>>> On Sat, 27 Feb 2010 03:52:02 +0000 MFPA wrote:
>>>>> (b) the person owns the information has the right to
>>>>> control how it is disseminated, and
>> This was someone's re-interpretation of my point. Spot the extra ">"?

> Hello MFPA,

> I never asserted that you said the key's originator owned the
> information stored in the key.  I was quoting the context of what your
> reply about the originator having "some rights" was about.  I would
> never try to insert words into your mouth.

I just wanted anybody reading this after the event to be clear the
quoted line about owning was not anything *I* have said.

>>>> The data subject does have various rights concerning the personal
>>>> information that is about him.

> I used this quote, because I believe
> that it states, in your own words, what you have been saying, either
> directly or by implication, during this whole discussion thread.

Yes, it is the main thing I have ended up discussing.

>> The concept of *owning* your personal information makes little sense.
> [snipped the rest of the paragraph]

> You have began by answering a question that I never asked.  I have only
> asserted that you believe that the originator has "some rights".  I
> never used the word "own".  I used the word "rights".

Since you quoted Robert J. Hansen's line beginning "the person owns
the information," I felt I could not reasonably address the question
you went on to ask without first putting that point to bed.

> Really, I am not interested in talking about what the law says.  The law
> may be right, or the law may be wrong.  I don't want to know what the
> law thinks, I want to know what you think.

The legal aspect is an integral part of the answer to your question;
it demonstrates that rights to privacy and to an element of control
over one's personal information are not something I dreamt out of thin
air. Whatever different views people may have on moral or ethical
rights, there are situations where processing/storage/dissemination of
personal information is the subject of an established body of
legislation and legal precedent. All that is open to question is the
extent and nature of privacy "rights" that may exist beyond the narrow
set enshrined in law and the slightly wider set in documents such as

> For the record, I don't believe that the key holder should upload the
> key if the key's originator doesn't want

Seeing as we are framing this in terms of "rights," do you believe the
holder has a right to upload in these circumstances but "should not"
exercise that right?

>  the key in some public venue
> (forget the keyservers, it's about public availability).

It's not entirely about public availability. There is also the
inability to remove a key from most servers. An individual may be
perfectly happy to post the key on their website, or biglumber, or the
PGP directory, but not want it on the main server networks. It's about
the individual's right to choose what happens to their personal

> But I don't believe the originator has a /right/ to prevent the key
> holder from sharing it.

Morally and ethically, I disagree. To use an example with phone
numbers: say I had a personal friend who was an insurance broker with
a teenaged daughter and elderly parents. I would suggest it's
perfectly in order for me to pass to a third party my mate's business
number. I definitely have no moral or ethical right to pass on his
daughter's or parent's numbers or his personal number. Some would
argue he has a right to give me a good beating if I did.

In practical terms, the originator currently has no means to prevent
this sharing, whether or not he has a right. In a certain narrow set
of circumstances, there could be an argument for legal redress if the
originator's personal information was shared.

> I don't believe the keyserver (or the church) is responsible for
> another's actions.  But I wanted to see whether you thought the
> keyserver should be responsible.

I also don't think a webhost should be deemed responsible if somebody
posts unlawful material on a site or forum that happens to be hosted
on their servers.

> The only problem that I can see with the keyserver preventing any
> modification of the originator's key, is that it could prevent someone
> else from ever revoking their signature on the originator's key.  That
> would be, of course, if absolutely no modification is allowed.

Unless I have missed something, the RFCs have not addressed that

>>> If the originator does have "rights" to control copying and sharing, are
>>> there any "fair use rights" for the person who has a copy of the public
>>> key?  Should these "rights" of the originator be enforced by some
>>> governing body, or should they be merely courtesy or suggestion?
>> I am not advocating anything remotely equivalent to copyright
>> provisions, just protection of personal information.

> The "rights" that you are asserting are similar to copyrights.  They
> both restrict the copying and dissemination of the information
> associated with them.

I cannot conceive of anything other than a presumption of privacy in
respect of the personal information usually present in the UIDs, and
have always been amazed at the number of people displaying it openly
on their public keys.

> So if the key holder can't ethically (not talking
> about physically) share the key or modify it, then what "rights" does
> the key holder have?

Any use whatsoever that in no way compromises the privacy of the
originator's personal information.

> Your purpose for keyservers and my purpose for keyservers are different.
>  I believe that keyservers should be for the public dissemination of
> keys.  You believe that keyservers should be for the private
> dissemination of keys.

I believe anybody with my details should be able to fetch my key from
a server, but looking at my key should give them no extra personal
information about me.

> What /you/ want is a keyserver that you can upload publicly and share
> privately.  I want is a keyserver that I can upload publicly and share
> publicly.

> Remember that they are called public keyservers.  And like a public
> restroom, they can be used by deviant and saint alike.

> You shouldn't assail the public keyservers.

My intention was merely to challenge the statement "it's a good idea
to upload your key to a keyserver," since I had seen such sentiments
expressed without qualification various places previously but had
always seen more good reasons against than in favour. I got into a
much longer (and more interesting) discussion than expected.

> You should be calling for an additional kind of keyserver to fill
> the niche of people like you.

I think it would work better if the option of increased privacy could
be integrated into the mainstream servers.

- --
Best regards

MFPA                    mailto:expires2010 at

The truth is out there.


More information about the Gnupg-users mailing list