Andrew Gallagher wrote: > > > On 14 May 2020, at 23:42, Stefan Claas <s...@300baud.de> wrote: > > > > When you work in compliance mode it should be IHMO possible that > > people wishing to communicate with you (from foreign countries) and > > may have a different opinion about privacy, GnuPG should accept > > such public keys, without using extra parameters and that you can > > easily add them to your key ring, with a simple label, thus not > > revealing the identity of them, in case your computer or smartphone > > gets later compromised or is searched at an airport etc. > > So your device is compromised by the feds and you’re worried about > your gpg keyring leaking contact information, but not your inbox or > your address book? And how does your encryption system work if it > doesn’t maintain a mapping between email IDs and keys? I’m not > convinced this threat model has been fully thought through.
Good question! First of all I do not keep an address book on my computer nor on my smartphone and I use not only simple smpts channels. Regarding the mapping of email IDs and keys. When I use labels for my keys, in my keyring, it contains only simple stuff like a nickname for example, because the peoples email addresses I know also without using GnuPG, hence I use command line mode and no common plug-ins. I do not say that people should follow this procedure, but like I previously said GnuPG should allow such an option. I am also used to use other communication channels, beside standard smpts, where this works too. I don't know if you, for example, knows RSA public key encryption before PGP was invented. There was no such things like key-IDs email mappings etc. and people lived with it, while using email. If you check out GitHub, GitLab etc. for public key encryption software you will rarely find tools, if any, which use the same email, key-ID mapping approach GnuPG uses. and people do not complain about it. And last but not least, GnuPG is a very flexible tool with many many command line parameters, so why not allow this option too for users, wishing to use UID-less public keys? I see no harm in it, only an enrichment in it's feature set. Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
