symmetric email encryption

Peter Lebbing peter at digitalbrains.com
Fri Jul 18 21:01:54 CEST 2014


On 18/07/14 15:40, Ingo Klöcker wrote:
> OpenPGP keys are created and uploaded to some key server
> automatically, and they are looked up and used automatically

This creates a privacy issue with key lookup. It exposes correspondents
to the keyserver, including time-of-use.

Also, you need to define some negative-acknowledge time to live
(terminology borrowed from DNS). If on first contact an address does not
exist at the keyserver, when do you re-check? And since it can, in
unfavourable circumstances, take a while for a public key to propagate
through the keyserver network, if somebody just created an e-mail
address and key and uploaded it, then starts communicating, people will
check a keyserver and not see the key. Now their client will wait the
defined period before re-checking, adding even more to the propagation
delay.

Thirdly, if this is the default mode of operation, I think you need
automatic decryption before storing the mail, because searching mail is
an important feature, and searching encrypted mails a big usability
issue. An e-mail system with a default big usability issue will get
swapped out for a more pleasant to use one.

Finally, I think people might take issue with their e-mail address
automatically being posted to a public keyserver. And if it catches
wind, and many, many people use it, I think spammers might look again at
harvesting addresses versus generating them. Now it's a small pool to
fish from, but if most people have their address on the keyserver
network, the odds might change.

Given all the issues, I agree with Hauke when he wrote:

> There are many features which would be nice to have. What do you
> think how many orders of magintude this one is more effort to
> implement than my proposal?

That said, I'm not commenting on the symmetric encryption proposal,
purely on your encryption-by-default proposal.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list