-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Friday 18 July 2014 at 11:34:19 PM, in <mid:1460534.5jfkcsu...@thufir.ingo-kloecker.de>, Ingo Klöcker wrote: > Sure. But the NSA already knows the correspondents of > all of our mail anyway. Keyserver lookups do not add > any additional data (except of the information that you > are trying to look up a key resp. that you are talking > to a keyserver). Time of use is a big piece of information that a keyserver lookup could add. And, maybe, IP address, operating system, software... > Good point. Automatic decryption should be possible for > those that want it. My scheme is mostly meant as > in-transit encryption which again is way better than > our current status quo. And the choice whether to store their emails encrypted or decrypted. Storing decrypted could be an issue, especially if the emails are stored on a server rather than the user's machine. > Peter Lebbing wrote: >> An e-mail system with a default big usability issue >> will get swapped out for a more pleasant to use one. It might, but Outlook is in widespread use despite major usability issues. > Peter Lebbing wrote: >> Finally, I think people might take issue with their >> e-mail address automatically being posted to a public >> keyserver. A certain minority would take exception to this, including myself. It is less of a problem for me with the automatic upload of just a single email address per key and no name/identity information. > How exactly does one harvest email addresses from the > keyservers? Can I ask keyservers to give me all keys it > has in storage? Or do I need to search for keys > matching a certain substring? I honestly don't know. > Anyway, if this really becomes a problem than key > lookup probably needs to be made as inconvenient as > trying to send email probes to randomly generated > email addresses. Isn't key lookup already more inconvenient than randomly generating email addresses? Or have I missed something? > For my scheme to work the keyservers would only need to > return keys where the email address part of a uid > exactly matches the recipient's email address. The email address could be hashed in the key UID that's automatically uploaded... > Moreover, for my scheme to work no key certification is > necessary, i.e. crawling from one key to the next via > certification signatures wouldn't be possible. Some people have specific use cases where key certification is needed. But most email communication doesn't have a way of being sure who controls the address. > The scheme has more issues: For example, there's no > message integrity protection (via signing) whatsoever. There's no reason not to have it. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net Live your life as though every day it was your last. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlPKlAZXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pFTIEAJ1acb0+CvHLkAuCtqnTed1L6v8xsvbvbNXz TS8oaZ7cCzBo9PK3nllDl1AM/qw4tpopLpwNH5H3ByjrzrPZjyonV8bSZoyFffwd U+hhSeaPEFI5Ox5pAdtnb3Mu0troNatcnKAdbgdykMlwsyEy0ez48qWeudlRy0Nr xiBR99za =wmKi -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
