-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Saturday 27 February 2010 at 6:11:29 AM, in <mid:4b88b791.7000...@sixdemonbag.org>, Robert J. Hansen wrote: > There is a perceived need for $150 bowls of soup, as > evidenced by dozens of high-priced gourmet restaurants > in major cities. The existence of a market for a > service is not evidence that the service is generally > useful or needed. Point taken. >> In any case, I've never seen a convincing argument >> *for* including email addresses in the UID of a PGP >> key. > First, the status quo doesn't need arguments in its > favor. The status quo exists. *Changing* the status > quo is what requires arguments in its favor. I have always been taught to challenge the status quo. "Because that's the way we do it" is *never* a good reason to continue doing something in a particular way. I understand that showing your email address in the UID makes it easier for people to find your key, the perceived advantage being that this makes it more likely you will receive encrypted mail. My contention is that the de facto standard of revealing email addresses in key UIDs could actually be mitigating *against* the use of encrypted mail, by discouraging people from publishing keys or even from using openPGP in the first place. There is a widespread perception (rightly or wrongly) that exposing your email address publicly on the internet will lead to that email address being spammed into oblivion. The new openPGP user is exhorted to create a key pair using their name and email address as the UID, and to upload this key to a server. That advice, coupled with the default configuration's enforcement of including an email address (or something that appears to be one) clearly has the potential to scare potential users from experimenting with openPGP in the first place. > Second, then you don't have to include it in yours. > Why are you bringing this up? Because you suggested in an earlier post in this thread that it was somehow acceptable to publish somebody's key to a server without their consent. To me, wantonly publishing other people's contact details appears contrary to the desire to protect personal privacy. > I don't care what your > UID is, and I don't want you to have a vote in whether > I put an email address in mine. I don't want such a vote. Whether somebody chooses to include an email address in their UID is up to the individual. I have not seen anything that convinces me it is better for me to include one. >> If their key lived at their own website or on an email >> responder, for example, you could still do this - >> except the note of the fingerprint and key-id would >> also need to contain a URL. > In which case you're still hosting it publicly, so why > not use the keyservers? Because by hosting it yourself, you have control over what signatures and UIDs appear on the published key. Or is that just an illusion? >> OK OK, the post I was replying to when I started this >> stated "It is also a good idea to send your key to >> the keyservers." I do not see this statement as any >> kind of self-evident truth, yet I have been >> thoroughly taken to task for questioning it. > This is not "taking you to task." This is listening to > your claims, and giving strong arguments against them. Many of the replies I've read in this thread have that character. Others have tended more towards criticising me for holding a different opinion and/or dismissing anything I said. Maybe I'm just being over-sensitive, but I got the impression I had touched some raw nerves somewhere along the way. > That said, it is broadly true that it's a good idea to > send keys to the keyserver network. The reasons why > have already been well-explained. Your reasons why not > are either unfounded or debunked. The collective response on this thread has indeed debunked a few myths for me. The main issue I'll never be converted on is the potential privacy problem of publishing somebody else's key to the servers. > In your voluminous defense of privacy rights, you've > not given any numbers for what fraction of users need > or want to keep their public keys private. If you're > arguing that the "good idea" we've advocated is not a > good idea, you need to show there are substantial > numbers of users who will be negatively impacted. You > haven't. If I was able to show that, those who need/want such privacy would be making a poor job of trying to enforce it. I don't care how many users this affects. For me, what matters is that any key I encounter *could* relate to one of them. Whoever's details may on a key (or in the body of an email, or anywhere else), I have no business publishing them. > You've talked about the danger of reputation being > slandered by implication of association: but as David > Shaw has pointed out, if someone wants to do that there > are much easier ways to do it than with keys. True. I only mentioned it because a contact experienced business problems as a result of this. > You've talked about making it easy for law enforcement > to learn who communicates securely with whom: but as > I've said, law enforcement (at least in the US, and > probably also the UK) has much easier ways to learn > this. Echelon. Records from ISPs. Traffic analysis... > You've talked about spam Spam was one of my initial concerns, so I created a key containing my name and a real email address that I actually do use. That key has sat at BigLumber for over 5 years and on the keyservers for about three years. That address generally attracts 2-3 spam messages a month. The only messages encrypted to that key have been when I requested Login tokens from BigLumber. > The status quo is, "it is generally a good idea to send > your key to the keyserver network." That is a very different statement to the one you made a few lines up; changing "keys" to "your key" resolves the privacy problem of exposing other people's contact details. > If you want to change that, the burden is on you to present > persuasive evidence supporting a change. So far I've not > seen it, which means the status quo stands. I think that rather than just bald exhortation to use the keyservers, people could usefully be pointed to a discussion of the pros and cons so that they can make an informed choice. I would also welcome an end to the presumption that people will want to include their email address in their UID. - -- Best regards MFPA mailto:expires2...@ymail.com Reality is nothing but a collective hunch. -----BEGIN PGP SIGNATURE----- iQCVAwUBS4lwraipC46tDG5pAQoB3QQAnRVJg+c1iw315vOMc+8v2FcUFrcPyN7o SjbKN1cgbc//OlAgKDmpxvcwe0UHM/ke+2C1NVJlpdrvZ6OTnUzLFdYRqKgHiYDq R9+8TjdJVzeAFT7ecFo/vtu/q97N7AzjTYf/tGMDvT73lZRM9a1L+w3teqz+Oe68 sDfvuzzFIV4= =PCLd -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
