Exposing email addresses on key servers

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jun 30 01:48:06 CEST 2009


On 06/29/2009 07:27 PM, reynt0 wrote:
> I guess WK's comment is about complete strangers sending you
> email?

I think that wasn't his point.  I think Werner's point was that when
people send encrypted mail, they use a mail user agent (e.g. thunderbird
with enigmail, outlook with the gpg plugin, claws, mutt, etc).  the MUA
is usually responsible for selecting which key to encrypt the message
to.  It does so by asking GPG to find a key which matches the e-mail
address.

If you choose a user ID which does not exactly match your e-mail
address, gpg (and thus the MUA) has no way of selecting the right key to
encrypt to automatically.

Some user agents include special features for mapping e-mail addresses
to keys manually (e.g. enigmail in thunderbird allows this), but it's
yet another step in an already cumbersome process.

Werner's point (i think) was that by raising the bar still further,
you're simply discouraging people from encrypting mails to you in the
first place, and not protecting yourself that much from harvesters, who
have many other ways to get yer address (from posts to this public
mailing list, for example).

It's a bad tradeoff.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090629/398df36d/attachment.pgp>


More information about the Gnupg-users mailing list