Privacy concerns

Pete Stephenson pete at heypete.com
Wed Apr 17 19:09:51 CEST 2013


On 4/17/2013 2:32 PM, Diego Zuccato wrote:
> Ave all.
> 
> IIUC, currently, whoever looks up a key for an identity, automatically
> retrieves *all* user's identities!

Yup.

> That could easily be abused (spammers, people writing to personal
> mailbox for work-related issues, etc), but even if not abused it's at
> least "unpleasant" that all mail addresses gets mixed.

I've had keys on the keyservers for years. Any spam related to
harvesting key data is negligible compared to spam from other sources.
Regardless of source, it gets filtered out so it's no worries to me.

> I've been thinking about that for some time, but couldn't yet find a
> workaround. Except, maybe, some decoupling between signature key and
> identities -- but no idea on how to implement it, keeping the current
> pros. W/o having to use multiple different identities (that would mean
> more smartcards to manage, for example).

While I don't use OpenPGP at my work, it seems reasonable to me to
create separate primary keys for work and personal use.

In the US at least, companies have various regulatory requirements
relating to communications and message storage. It may be compulsory for
a company to have the ability to decrypt, read, and archive your
work-related mail. Since you cannot -- as far as I know -- bind
encryption subkeys to a specific UID, having a separate primary key for
your work seems like a good idea.

Cheers!
-Pete



More information about the Gnupg-users mailing list