key question
MFPA
expires2010 at ymail.com
Sat Feb 27 21:39:57 CET 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi
On Saturday 27 February 2010 at 4:22:27 PM, in
<mid:4B8946C3.5050607 at sixdemonbag.org>, Robert J. Hansen wrote:
> His position seems to have shifted.
As the thread has progressed, the posts I'm replying to have shifted
from "It is a good idea to send your key to the keyservers," to an
assertion that it's also a good idea to publish other people's keys
whether they want them published or not.
> At some points he's said,
> "What's not to agree with in my statement that not
> everybody wants to put their keys on the keyservers?"
> I fully agree with this. However, he also seems to be
> advocating the advice of "generally speaking, it's a
> good idea to put keys on the keyservers" be changed to
> "generally speaking, it's not a good idea to share
> public keys without the key owner's explicit
> permission."
> This is a pretty big change in the conventional wisdom.
> Before I'll sign on to that I'll have to see some
> strong reasoning, and I haven't.
>> It seems (and I could be utterly wrong), that MFPA is
>> saying "Not everyone wants their key on the
>> keyservers, so please don't automatically send other
>> people's keys there. If the key owner wants the key
>> on the keyservers, he'll send it himself."
That is exactly what I am saying. Most peoples keys contain personal
contact details and the decision to place that information in the
public domain rests solely with the person whose details they are.
> MFPA has made it clear his objection applies to any
> kind of sharing of public keys without the owner's
> consent. It's not limited to the keyserver network.
> He considers it the equivalent of passing on someone's
> home address to a complete stranger. ("I would no more
> deliberately publish somebody's key without their
> consent than I would pass on their phone number or
> address.")
Pretty much, yes. Not forgetting the possible legal implications under
data protection legislation in the EU and other places.
> "the keyservers are generally a good idea, and
> generally speaking they should be used, and people
> should expect their public keys will wind up on them
> sooner or later, either through their direct action or
> through the accidents of others."
> It is not universally applicable advice, but I think
> that as far as general advice goes it's pretty good.
I don't think it is bad advice when put like that. Maybe the person
being advised could be pointed to a summary discussion of pros and
cons, and of alternatives to keyservers - but that would probably be
information overload.
It is definitely good advice to bear in mind that your key may well
end up on a keyserver whether you want it to or not. That will feed
into the decision of what information to include in your UIDs.
I find the attitude that it is OK to publicise somebody else's details
without consent abhorrent, and suggestive of a disregard for other
people's privacy.
Given the importance of personal privacy, it seems to me that it's too
easy to accidentally upload the wrong key to a server. I'm not sure if
anything could usefully be changed to address this; even if people
read confirmations before pressing "y" when using GnuPG, such mistakes
are all-too-easy in other packages and front-ends as well.
- --
Best regards
MFPA mailto:expires2010 at ymail.com
The problem is not that we're paranoid;
it's that we're not paranoid enough.
-----BEGIN PGP SIGNATURE-----
iQCVAwUBS4mDJqipC46tDG5pAQoYzgP/WP6E+qDRzfdwTVCXrcvXgONsVvXhCAQ8
3FJVYb/TeoLVcm26J88IBQvhECsoI+4RBcMgRVBwXTn0KU8E5PUF+4Or5d3NpuNp
RkmuPPOlNUfj6xqMRkylm5pe9kYI8UvDnEGlEOy0XonDJ1Mfq/4aZHpJvy5NHmaK
P+aRJ+1cjaE=
=NiBO
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list