key question

[MFPA]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Monday 15 March 2010 at 7:54:03 AM, in
<mid:4B9DE79B.3050402 at gmail.com>, Paul Richard Ramer wrote:


> If you knew more about how I shared those e-mail
> addresses, you might conclude differently.

OK



> I think that I disclosed less than you may have gotten
> the impression that I did, since those addresses were
> never private information.

I don't understand the comment that they were never private
information. They will have been private information from their
inception up until the time you publicised them or published them.



> Personally, I prefer to give an e-mail address, and
> then filter messages based upon the sender.  But that
> is my preference.  I don't believe it is The One True
> Way. :-)

It is simplest, and almost certainly most common, to just have a small
number of addresses. Multiple addresses and/or disposable addresses
can be a useful tool, but they can add complexity with no real
advantage if their use is not properly thought out.



>>> If in the future I want to go underground with a
>>> pseudonymous identity, then I will create a PGP key
>>> specifically for it.

>> And in that eventuality, do you see the attraction of
>> optionally hashing email addresses and names in UIDs,
>> so that somebody who knows your email address can find
>> your key but somebody who inspects your key gains no
>> information about you from it?

> Probably not.  I might consider it, though.  I would
> most likely create a UID like your's--pseudonym and
> nothing more.  Then use the key with e-mail accounts
> that would never have information about my real
> identity.

> This doesn't mean that the hashed UIDs idea couldn't be
> good for someone else.

I see the target user as somebody who wishes to keep their personal
contact details private, but wants openPGP users who already have
their contact details to be able to discover their key.

Not wishing to reveal my email address in my key, when faced with all
the literature saying I should, was one of the main reasons I didn't
adopt PGP the first couple of times I looked at it. Since I have no
reason to expect my thoughts on this to be unique, I believe the
hashing option for the information in UIDs would remove an obstacle
that deters some people from using openPGP.



> Anything that connects two or more messages together,
> whether it be a key ID, pseudonym, or secret pass
> phrase or sign, is less than perfect anonymity.  Even
> speech patterns will give less than perfect anonymity.

> Perfect anonymity is difficult, if not impossible, to
> achieve.  It can also be impractical, e.g. if I don't
> have a way of knowing that I am communicating with the
> same person each time, how can I know that I am not
> talking to an enemy.

Even if you know it is the same person, you could still be talking to
an enemy. You may not realise they are a spy working for a rival
organisation, for example.



> If I am to have multiple communications with an
> anonymous entity, I have to know that the last
> anonymous entity and the one that I am talking to now
> are the same.  There has to be something identifying.
> It doesn't matter what it is, but it must be there.
> Would I risk sharing secret information with the wrong
> person?

That doesn't only apply to anonymous entities. For example, is today's
John Smith the same John Smith I communicated with last week?



> Perfect anonymity is like perfect privacy.  They are
> both impossible to have if we are to live our lives
> while having relationships and associations.

What is perfect anonymity? If I recognise somebody by sight as being
somebody I have seen before but know nothing about, are they no longer
perfectly anonymous to me? Is somebody with many short-term
relationships and associations more anonymous than somebody with fewer
but long-term? One is known to more people but each knows less about
them.



> Perfect privacy means not knowing anyone or seeing
> anyone.  Because once someone has seen you, learned
> information about you, or seen where you have gone, you
> have lost some privacy.  You no longer have perfect
> privacy.

True.



> In fact, just by posting to this mailing list we have
> given up some privacy or anonymity.  The nature of the
> way we write, what we think, the experiences that we
> relate--all of these reveal something about ourselves.

When the reader is Big Brother, or a potential employer or blackmailer
etc., that might matter. When the reader is a random stranger, I
prefer to think it doesn't. I'm confident I don't post anything that
should prompt anybody to identify and come after me.



> Similarly, perfect anonymity will fail once someone can
> connect multiple messages or activities to an identity
> (whether or not that identity is a pseudonym, real
> name, or something else).

How is that of consequence until they make the link between the
identity and the person (or people) behind it? Knowledge that "John
Smith" engages in certain activities is of no use until the "John
Smith" in question has been pinpointed.



> My needs or desires may be different from your needs
> and desires.  And our needs and desires may be
> different than John Doe's needs and desires.  It
> doesn't, by necessity, make any of us better than the
> others.

I'm sure neither of us claimed it did (-;



>>>> I believe anybody with my details should be able to
>>>> fetch my key from a server, but looking at my key
>>>> should give them no extra personal information about
>>>> me.

>>> Private dissemination within a public venue.

>> I don't know why, but that simple phrase suggests to
>> me that you think it would be a bad thing.

> No, I think that it is fine.  Probably the reason that
> sentence comes off the way it does is that I previously
> inferred that you wanted a "keyserver that you can
> upload publicly and download privately", and I felt
> that your answer to that question skirted around saying
> "yes".

It did, because I was not sure I could attach the correct meaning to
"upload publicly and download privately" to answer "yes." (-:


> But truly, it is private dissemination within a public
> venue.  Nothing is wrong with that, but it is different
> than what the keyservers are currently for, which is
> public dissemination.

> I can see how some people, such as yourself, would like
> to have such a system.  But it shouldn't be touted as
> The One True Way any more than the current system.

Public dissemination is definitely the keyservers' function, but is it
also their purpose?

Why would I want to download somebody's key?
1. to verify a signature.
2. to sign their key after meeting them and verifying ID documents.
3. to encrypt a message to them.

For 1 and 2, I already know the key ID. For 3, I already know the
email address.

Is there something I have missed about the purpose of a keyserver,
that dictates it needs to show me the email address if I don't already
know it?

I'm not saying one way is "right" and another is "wrong," just that
exposing personal contact details is a privacy concern and I don't see
any inherent advantage.



>> Have I "insisted on" anything beyond the basic
>> courtesy of obtaining consent before passing on other
>> people's personal information?

> - From reading all of the posts by you to this thread,
> I would infer that you been, at least somewhat,
> projecting your goals and needs and desires onto
> whoever the user is.  It is a subtlety to your posts.

Perhaps. But there are posts by people pointing out that things I have
raised have been discussed multiple times in the past. This confirms
that some other people share (or have shared) some of my concerns.



> I imagine that you will tell me that I am a fruit cake,
> but I could waste my words on a whole post to
> demonstrate this subtlety.

I'm sure if you did it would make interesting reading, but it's not
necessary.



> As for the rest of the issues, everyone has different
> goals and needs. It would be foolish for us to assume
> what is best for all users.

I believe "it is 'best for all users' to advocate greater care with
other people's personal information," is not a foolish assumption.



> There is no One True Way and no one-size-fits-all.

Indeed. The UID hashing idea, that I read about during the life of
this thread, would be an additional option to accommodate an increased
range of privacy goals. Possibly that particular niche is too marginal
to be worth implementing, but it shouldn't be dismissed without
consideration.


- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

Dogs look up to us. Cats look down on us. Pigs treat us as equals.
-----BEGIN PGP SIGNATURE-----

iQCVAwUBS55JBKipC46tDG5pAQodLAP9HoBUZ50LYBcrN+STXoPSGIRAPJP62AvA
JxeSKykKIjxVAJwRlFoHnyMv6J4yL16hwx85rPhxXUzz4P1t8Hasefmqie4quYEU
UDtzw4Fm+xVQzj9K01OsPoNIF4LlefsLgkPNt/SXZz34mtf2d/rbt8D0apVwtYwc
DeGecgLKsKs=
=g48B
-----END PGP SIGNATURE-----