On Sat, Jun 16, 2012 at 05:32:36PM -0400, David Shaw wrote: > Yes, I understand that spreading out keyserver requests can help avoid this > sort of tracking, but remember that the keyserver URL feature allows the > keyholder to bypass the keyserver chosen by the user, and send the requests > anywhere they like. I don't care how the keyserver round-robins are run if I > can get a target GPG to not use them. > > To really combat tracking, you need to route your keyserver requests through > TOR or something similar.
Even that addresses not all issues. The target keyserver still receives a connection whenever the public key is used by someone. A keyholder may set the keyserver URL to a server under his control to monitor the usa of its public key. If that is a good or bad idea certainly depends on your point of view. But is does not seem to be a wise default configuration in my mind. If such an "automatic update" is added, I'd like to have an additional option to define the maximum update interval. This allows everybody to define his own tradeoff. With a default value of for example 24 hours, public keys are still kept fairly up to date while frequent key usage will not trigger a keyserver request for most crypto operations. Michel
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
