Don't send encrypted messages to random users

Michael Englehorn michael at englehorn.com
Tue May 30 21:42:04 CEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

"Michael A. Yetto" <idmsdba at nycap.rr.com> writes:

> On Tue, 30 May 2017 15:53:44 +0000
> listo factor via Gnupg-users <gnupg-users at gnupg.org> writes, and having
> writ moves on:
>
>>On 05/29/2017 11:52 PM, Konstantin Gribov - grossws at gmail.com wrote:
>>> Primary reason to publish a key is to make it available for
>>> fetching. It isn't a permission for anyone to annoy a person
>>> anyhow.  
>>
>>Keservers have every characteristic of a public directory.
>>
>>What possible reason there could be for placing one's
>>e-mail in the public key if not to make it possible
>>for anyone to send an e-mail to the owner. To make
>>a piece of information publicly available on the net
>>and then depend on "netiquette" for that piece of
>>information not be used in a manner the owner finds
>>objectionable strikes me as a rather outdated notion.
>>
>
> Would you find it acceptable for someone to randomly call you and ask
> your opinion on a topic of their choosing just because your phone
> number happens to be on a public directory that person happened upon?
>
> The reason, not only possible, but likely, would be to let someone with
> a reason to send message to that e-mail have the necessary data to
> encrypt it and keep it as private as is needed.
>
> Mike Yetto

Depending on what the content of the e-mail is about, I don't think it
would be inappropriate for someone who I didn't know to contact me,
especially if it was about something I normally work on such as an
opensource project that has my name and e-mail attached to it.

My e-mail address is easy to find in places other than the keyservers,
and if you don't put your key on the keyserver it may be dificult for
someone to send me something like a security impacting bug report using
encryption.

Also, it would be strange to only publish your key's "name only" UID to the
keyserver, because then at a keysigning event I wouldn't know where to
send your public key back to, and I couldn't certify any of your e-mail
addresses.

The same goes for phone calls, though I do heavily filter my home phone
line with some IVR scripts and such to prevent autodialer spam.

That being said, sending 'hey, I'm just testing' messages to me would be weird.

- -Michael Englehorn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZLcsMAAoJEFiya/FkvZyBgsAP/1Fz7A5sN5QcKhzvt2RCVF2m
EdlqzuCe4czIIkztGgmg6mFJUVB6S9W1jzPCRh9x/rYY50laFMw5VyOireYVRcJX
RPecjnYsw29N0C6r8/n8eg+8wMsW/vmMwF0Xd4S70QtXEAD+/IlMlOuxqaNARbcB
9vQj/dr/XKLef3sOKAZ8DS4uKcoxRo/4QZNI9hYb9lqIlVlhpoq3ak6MLf0fk1OF
SiQcAXVxPjHUzMcC4yClSn+6NoIMpOaKlBwWRcKQ+mwBev8Zw4bW7Twbk67f+ibZ
cGtBIBmxIucRe4eV4XDbEj3EO2WFsfV1qgQBs0WlBY5XERB++rIdIXcfJeBQuZU0
THQsbQpXpFYaGKWKcveNVSkT2ncYqe0gOTKdLQYcIkslqLQ/1eewG06oT2AV9wFi
sYqjARtRjIDMp8w35nwtqthKZHY3hGgpLvIjDwIFsS2L81g5IPo664sVgnQGejsw
FCd3JyCc0DWk0dScPtlatrsKYWHKMnJVifuGy8rx4R4SWkVO7ezSSblZP2Z7OusQ
+1OFHiJmHhM/+feN9OydT1jCKKQlxvi9XZgGM6Lrh9mMQzhWMUVFFMFKqsvulTMJ
ZbWqfcTBLdQzOKG7PWSDT9e64TI+vVKTgbOj73AVurLEWkOuXWP46sX8IRgyEyUh
3/rVgv44hVSfmVl6e+gc
=ceKU
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list