On 29/10/15 17:23, Daniel Baur wrote: > isn’t it a little bit problematic that GPG now logs how often I received > emails by someone else?
I would think that in most situations, that is not a problem. If you exclusively use webmail, there isn't such a record directly on your computer's disk, but you also can't use GnuPG with webmail, AFAIK. If you use a regular e-mail program that works with GnuPG, that information is already on your disk and accessible to the user account you run it as, so duplicating that information in the GnuPG home directory adds nothing. Do you know of a scenario where this information is not already available from the e-mail program? Even if the user deletes the mail after they read it, I wouldn't be at all surprised if this just marks the data as deleted rather than that it scrubs the data from the disk. This would muddy the statistics, but hardly be a security feature. Also, you could just disable TOFU if you're worried by it, but you would lose the functionality as well... Maybe there's a use case for optionally not gathering these statistics if key validity is already established through the WoT. That way, if you want to keep the frequency of correspondence a secret, you could use the WoT to establish validity. An option to not gather statistics for specific keys rather calls out those keys as interesting, and an option to disable the statistics for all TOFU keys seems like losing a very valuable tool in assessing which key is the One Key. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
