Creating a key bearing no user ID

John Clizbe John at enigmail.net
Mon Jan 23 06:33:38 CET 2012 

Holger wrote:
> 2012-01-22T16:11:14-08:00, Doug Barton:
>> On 01/22/2012 10:05, Holger wrote:
>> > I intend to use gpg only for receiving encrypted e-mail, not signing
>> > my outgoing e-mail. Because I don't want my name or e-mail address
>> > out there on the keyservers,
>> 
>> Why not?
> 
> One reason is spam, though we haven't seen excessive abuse of the
keyserver-data or the keyservers themselves yet. Of course I could simply omit
the e-mail address. Another one: My full name is rather unique and I don't want
to reveal with whom I communicate i.e. who signed my key. On the other hand,
public keys can be easily polluted with bogus signatures ... but I guess the
average researcher is not aware of that and the versed is able to filter out the
bogus ones. So maybe I should refrain from participating in the web of trust and
build my personal "star of trust"?!

I have a very unique last name and I'm not afraid of the keyservers. I know of
about six "John Clizbe"s. We differ by middle initial and name.

BTW, if I represented an entity concerned with whomever you communicated, I
would likely not bother with your key. It would be much easier to have a copy of
your outgoing mail retained by your ISP.

Keyserver SPAM is a straw-man argument. Yes, it's possible for an address to be
pulled from the key on a keyserver, in fact, I'm convinced harvesting probably
takes place. But testing I did a few years ago found the amount of SPAM
attributable to a key on a keyserver was not significantly different from that
received as just random SPAM noise from an unused ISP account. I've seen no
volume of SPAM since then to challenge that conclusion.

>> > I want do create a key without a uid.
>> > People who want to send me e-mail, get my e-mail address and
>> > keyID/fingerprint with my business card.
>> > 
>> > Will this work or did I miss something?
>> 
>> How will they get your public key?
> 
> By keyID/fingerprint from the keyserver-net.

And how, exactly do they first get the KeyID/Fingerprint? Or do you intend to
limit encrypted communication to those whom you have first made contact and
handed a business card?

-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

More information about the Gnupg-users mailing list