Questions about generating keys

Robert J. Hansen rjh at sixdemonbag.org
Thu Aug 23 13:29:56 CEST 2007


Oskar L. wrote:
> But if you don't need a public address, and only have security conscious
> friends, then I would think you have a good change of staying of the
> spammers lists.

This is not my experience.  I've received spam addressed to my amateur
radio call sign (KC0SJE) at a domain that's not directly associated with
me.  I don't know how it was discovered, but for right now I'm leaning
towards the hypothesis that spammers have made pacts with the Devil and
learned dark arts.

> Those are all good things, but just because we have them does not mean
> that it's not a good idea to try to stay of the spammers list in the first
> place.

Sure it is.

All of us are constrained by external forces.  We don't have as much
time, as much energy, as much money, as much anything as we want.  We
have to make tradeoffs.  That's called economics.

If I know that one sort of antispam measure is going to reduce the spam
I receive 100-fold over the reduction produced by another antispam
measure... and the 100-fold measure takes the same amount of resources
as the other one... then why should I ever use the second measure?

I get a 100-fold reduction from X amount of time and labor, or a
101-fold reduction from a 2X amount of time and labor.  This is really
simple to me; I'm going to take the 100-fold reduction and spend the
extra X time goofing off, or visiting my nephews, or grabbing lunch with
my sister, or doing thesis research, or...

Use the most effective measures available to you, and know when to stop.

If I had 2X units of time, I still wouldn't use the two measures to get
a 101-fold reduction in spam.  I'd spend X time using the technologies
currently available, and I'd spend X time researching new technologies
to try and kick the 100-fold technology up to 1000-fold.  That'd be a
very efficient and economical use of time.

> User IDs do not provide any authentication, so security wise they are
> useless.

Whoawhoawhoawhoa.  I don't know where you got this from, but it's very
wrong.

"User IDs do not provide any authentication", okay, that much is true.
If you want authentication, you're really looking for a trusted
signature on the user ID, fine.

But "security wise they are useless" is just barking madness.  Really.

> The most secure thing would be not to have one at all, and have
> my friends remember that key number xxxxxxxx belongs to me. This way, if
> my friends get raided, it will be more difficult or impossible for the
> police to figure out that it's my key.

You are apparently not up to date on something called traffic analysis.
 I suggest you look into it.  What you're talking about here is probably
a pipe dream.

If you're that concerned about getting raided, there are two things you
need to do right now.

1.  Stop posting to crypto mailing lists that keep public archives.
Creating an electronic paper trail of yourself saying "I'm concerned
about getting raided by the cops, please help me figure out how to
protect my electronic privacy" is not a very smart thing to do.

2.  Hire an information security professional.  GnuPG can be part of a
security solution, it can even be a very effective part, but it is not
magic fairy dust.  You will not find privacy or security just by
sprinkling a little magic fairy dust here and there and thinking that it
will "just work".  If your needs are this high-level, you need the
services of an information security professional.




More information about the Gnupg-users mailing list