What does an unencrypted, signed message mean to you? Because when we're talking about the benefits or operation model of a hypothetical "throw-keyid" option for signatures, that's what we are discussing. Anything about encrypted messages is not relevant, since the signature is inside the encryption as you noted. So the actual content of the data is already deemed not to be sensitive knowledge, it just needs to be authenticated.
Your method of correlating key ID's to out-of-band data like spying on people's movements is something I had not considered, but the key ID is just a bit of extra data; you could also simply correlate the production of *an* OpenPGP signed message to the person in question and attack them. Who cares what key they used when you can determine they are the person who's always behind their keyboard when that interesting signed message appears. Furthermore, note that the design of OpenPGP assumes the data it calls "public" is indeed public. You could try to retrofit OpenPGP into some role where a public key is not public, but it is dangerous to use a crypto ecosystem for something else than it was designed for. It seems to me asking for a "throw-keyid" for signatures is exactly that, and maybe you need to look for something else than OpenPGP if public data is no longer public.[1] As soon as the public key is indeed public, you've just reduced the search space to all public keys rather than all possible public keys. I don't particularly care if there is a meaningful user ID on the key, that's up to the creator of the key, but it is relevant that the actual modulus is indeed public knowledge. HTH, Peter. [1] I made a typo and wrote "and pubic data is no longer public". My pubic data would be among the least public data about me, thank you very much :-). -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
