Don't send encrypted messages to random users
michael at englehorn.com
Tue May 30 21:42:04 CEST 2017
-----BEGIN PGP SIGNED MESSAGE-----
"Michael A. Yetto" <idmsdba at nycap.rr.com> writes:
> On Tue, 30 May 2017 15:53:44 +0000
> listo factor via Gnupg-users <gnupg-users at gnupg.org> writes, and having
> writ moves on:
>>On 05/29/2017 11:52 PM, Konstantin Gribov - grossws at gmail.com wrote:
>>> Primary reason to publish a key is to make it available for
>>> fetching. It isn't a permission for anyone to annoy a person
>>Keservers have every characteristic of a public directory.
>>What possible reason there could be for placing one's
>>e-mail in the public key if not to make it possible
>>for anyone to send an e-mail to the owner. To make
>>a piece of information publicly available on the net
>>and then depend on "netiquette" for that piece of
>>information not be used in a manner the owner finds
>>objectionable strikes me as a rather outdated notion.
> Would you find it acceptable for someone to randomly call you and ask
> your opinion on a topic of their choosing just because your phone
> number happens to be on a public directory that person happened upon?
> The reason, not only possible, but likely, would be to let someone with
> a reason to send message to that e-mail have the necessary data to
> encrypt it and keep it as private as is needed.
> Mike Yetto
Depending on what the content of the e-mail is about, I don't think it
would be inappropriate for someone who I didn't know to contact me,
especially if it was about something I normally work on such as an
opensource project that has my name and e-mail attached to it.
My e-mail address is easy to find in places other than the keyservers,
and if you don't put your key on the keyserver it may be dificult for
someone to send me something like a security impacting bug report using
Also, it would be strange to only publish your key's "name only" UID to the
keyserver, because then at a keysigning event I wouldn't know where to
send your public key back to, and I couldn't certify any of your e-mail
The same goes for phone calls, though I do heavily filter my home phone
line with some IVR scripts and such to prevent autodialer spam.
That being said, sending 'hey, I'm just testing' messages to me would be weird.
- -Michael Englehorn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Gnupg-users