Creating a key bearing no user ID

Holger holger at alternativefuse.com
Mon Jan 23 16:04:45 CET 2012 

2012-01-22T23:33:38-06:00, John Clizbe:
> Holger wrote:
> > 2012-01-22T16:11:14-08:00, Doug Barton:
> > > On 01/22/2012 10:05, Holger wrote:
> > > > I intend to use gpg only for receiving encrypted e-mail, not signing
> > > > my outgoing e-mail. Because I don't want my name or e-mail address
> > > > out there on the keyservers,
> > > 
> > > Why not?
> > 
> > One reason is spam, though we haven't seen excessive abuse of the
> > keyserver-data or the keyservers themselves yet. Of course I could simply omit
> > the e-mail address. Another one: My full name is rather unique and I don't want
> > to reveal with whom I communicate i.e. who signed my key. On the other hand,
> > public keys can be easily polluted with bogus signatures ... but I guess the
> > average researcher is not aware of that and the versed is able to filter out the
> > bogus ones. So maybe I should refrain from participating in the web of trust and
> > build my personal "star of trust"?!
> 
> I have a very unique last name and I'm not afraid of the keyservers. I know of
> about six "John Clizbe"s. We differ by middle initial and name.

I'm not afraid of being mistaken for s.b. else. Given my name was unique, anybody
could go and see with whom I'm associated.

> BTW, if I represented an entity concerned with whomever you communicated, I
> would likely not bother with your key. It would be much easier to have a copy of
> your outgoing mail retained by your ISP.

That's on another level, legally + technically.

> Keyserver SPAM is a straw-man argument. Yes, it's possible for an address to be
> pulled from the key on a keyserver, in fact, I'm convinced harvesting probably
> takes place. But testing I did a few years ago found the amount of SPAM
[...]

Please simply accept that it's an issue for me as well as many others. Harvesting is
supereasy: full keydumps are readily available.

> > > > I want do create a key without a uid.
> > > > People who want to send me e-mail, get my e-mail address and
> > > > keyID/fingerprint with my business card.
> > > > 
> > > > Will this work or did I miss something?
> > > 
> > > How will they get your public key?
> > 
> > By keyID/fingerprint from the keyserver-net.
> 
> And how, exactly do they first get the KeyID/Fingerprint? Or do you intend to
> limit encrypted communication to those whom you have first made contact and
> handed a business card?

Yes, I intend to receive encrypted mail only from those

/Holger

More information about the Gnupg-users mailing list