On Tue, Dec 21, 1999 at 03:43:04AM +0100, Jan-Benedict Glaw wrote:
> On Mon, Dec 20, 1999 at 01:48:19PM -0800, rex wrote:
> > On Mon, Dec 20, 1999 at 01:23:19PM +0100, Jan-Benedict Glaw wrote:
> > >
> > > This way I strongly recommend everybody to use 'set psp_encryptself' in
> > > ~/.muttrc (for PGP) or 'encrypt-to 0xKEYID' in ~/.gnupg/options (for GnuPG)
> > > instead of saving (encrypted) mails in plaintext...
> >
> > This is very dangerous if you ever wish to be anonymous because anyone
> > can see your identity. It's all too easy to forget to unset this option
> > when sending an anonymous message (don't ask how I know :).
>
> You miss the point... If you encrypt a mail, the recipiant will _need_ your
> public key. Thus he knows your identity regardless whether or not you en-
> crypted that mail _for_ your key, too. If you sign your mail, the recipiant
> will notice your keys UIDs as well.
Wrong. If Tom wishes to send Sam an anonymous encrypted message, Tom
encrypts the message using *Sam's* public key and sends the message
through a few remailers. When Sam receives the message, he decrypts it
using his private key. Sam doesn't need to know who the sender is,
much less know his public key. If Tom is foolish enough to encrypt to
himself, *anyone* who looks at the message can see that Tom is
involved and is probably the author of the message. Even though they
cannot read the message, they know Tom is communicating with Sam.
Think traffic analysis.
> I think you wanted to write about 'set pgp_autosign' in .mutttrc? Well, I've
> set this, as I don't write spam^Wanonymous mails, but maybe you have a
> real use of anonymous mails?
No, I did not want to write about autosign, though it's a more obvious
security risk.
Yes, I do have real uses of anonymous mail, however, if I told you
why, I'd have to kill you. ;) Seriously, anonymous mail is like any
other tool in that it can be used responsibly or irresponsibly.
FWIW, I detest spammers to the point that I endorse tracking them down
and visiting them (along with a couple of ~300 pound "associates") in
MeatSpace for a little chat about why spamming is not a good idea.
> PS: What's your real name, 'rex'?
Not that it matters, but my real name *is* "rex."
Sorry for the OT post, but it's important for every PGP user to know
that automatically encrypting to self is a security risk that is
easily forgotten about. Keeping a copy in the clear and encrypting
the mail directory is a much safer solution.
-rex
