key question

MFPA expires2010 at
Fri Mar 19 14:06:38 CET 2010

Hash: SHA512


On Friday 19 March 2010 at 6:54:06 AM, in
<mid:4BA31F8E.1050704 at>, Paul Richard Ramer wrote:

> On Sat, 13 Mar 2010 20:05:21 +0000 MFPA wrote:
>> It looks to me as if the answer is "yes." Unless each
>> person who had one of your email addresses already
>> knew the other addresses before seeing them on your
>> key, they now have extra information about you. And
>> the addresses have jumped from "shared outside of
>> people [you] knew personally" to published in a
>> universally-accessible location. However
>> minor/negligible or unimportant you may consider it,
>> that's a reduction in privacy.

> You are, of course, assuming all of my contacts know
> what PGP is, how to use a keyserver, and have fetched
> and examined my key.

OK, I should have qualified "they now have extra information about
you" with "potentially"  or "access to."

> Although I have potentially disclosed my e-mail addresses to the
> whole world, my actual disclosure has been less than had I posted
> those e-mail addresses to a web page or handed a copy of my key UIDs
> to whomever.

The lower level of spam from publicising your email addresses on a
keyserver compared to web page suggests the first of these is true
(although that may be related to ease of extraction of email
addresses). I'm not sure how you would go about measuring the second.

> But you know what?  I don't care.

I'm clear that this doesn't bother you.

> I created those UIDs
> with the belief that if I shared them with one person,
> I shared them with the world.

Of course, but it doesn't have to be that way.

I do not see that users of openPGP gain anything at all from this
public exposure of their private details, if their key could be
usefully be made publicly available without.

> I intentionally made
> that information public, which is different from
> accidental disclosure.

Yes it is.

> Also the use of a keyserver in my case was good,
> because I don't have any means of distributing my key
> electronically other than by e-mailing my key to every
> person that may request it.  So a keyserver fits the
> way I want to work.

Well, you *could* include it in every email you send out; or use an
email auto-responder, post it on a web page, post it to BigLumber, etc
and use a signature notation (or a note in a comment line or an email
footer) to link to it. But most of these options probably fit the way
of working you describe less well than using a keyserver.

- --
Best regards

MFPA                    mailto:expires2010 at

Confusion is always the most honest response


More information about the Gnupg-users mailing list