key question

[MFPA]

Hi Paul


On Saturday 6 March 2010 at 8:54:41 AM, you wrote:


> Hello MFPA,

> During this whole debate, you have assumed one thing in your argument
> that I don't believe anyone has pointed out as being flawed.  You have
> assumed that the person (I will call him John Doe) would have decided
> to create a UID that contained the personal information that he wants
> to keep private.

The default configurations of PGP and gpg ask for a name, email
address, and comment when you create a key. Last time I looked (v8.x),
PGP would not even create a key without something that looked like an
email address - hence the a at b.c in my UID. (And yes, I know gpg now
allows you to omit the email address without having to use --expert,
but you are still asked for it.)

Almost any documentation I can find telling a new user how to use
GnuPG or PGP tells the user that the key UID is their name plus email
address, and that they should upload the key to a server. Many email
apps rely on the presence of the email address in the UID for key
selection, and documentation mentions this. Basically, almost
everything the beginner sees suggests either he cannot create a key
without this info, or his key is next-to-useless if he does. 



> If the person wanted badly to keep his e-mail address, or his e-mail
> address and his name, private, why would he put them on his key.
> Especially, when he knows that all it takes is one slip up or
> deliberate upload to send his public key flying across the Internet
> and into a keyserver to remain there forever.

I agree, and I touched this in 
Message-ID: <205633239.20100226162320 at my_localhost>, which was a reply
to one of your previous messages.



> Here are three examples of John Doe wanting to keep the privacy of his
> personal information and still use PGP.  I am using these examples,
> because they are usage cases that you have used in your arguments.
> The usage cases are as follows: (a) John Doe doesn't want to disclose
> his e-mail address; (b) John Doe doesn't want to disclose his name
> or e-mail address; (c) John Doe doesn't want to disclose his name or
> e-mail address, because he fears that his government will send him
> to a gulag if they catch him.

[...]

> --------------

> In each of these cases, John Doe made the mistake of thinking that
> he could keep his personal information in his key, and that he could
> keep his key off the keyservers. If John were to make the wisest
> decision about keeping his personal informaton secret, wouldn't he
> choose to not include this information in a key that is probable to
> end up in a public venue?


You are assuming he realised it was probable. The benefit of hindsight
will presumably lead him to proceed differently in future. Initially,
John may not have even known he *could* create a useable key without
his valid email address. He might have been used to trusting his those
in his closed circle. He might not have experienced or considered how
easy it was to make mistakes resulting in inadvertent key upload. He
may have read about the "keyserver-no-modify" flag and assumed the
feature would actually protect his key from accidental or malicious
publication.



-- 
Best regards

MFPA                    mailto:expires2010 at ymail.com

Don't learn safety rules by accident...