key question

Paul Richard Ramer free10pro at gmail.com
Sat Mar 13 12:15:32 CET 2010


Hello MFPA,

I couldn't respond to your post for a while.  So here it is.

On Mon, 8 Mar 2010 21:38:18 +0000 MFPA wrote:
>> I never asserted that you said the key's originator owned the
>> information stored in the key.  I was quoting the context of what your
>> reply about the originator having "some rights" was about.  I would
>> never try to insert words into your mouth.
> 
> I just wanted anybody reading this after the event to be clear the
> quoted line about owning was not anything *I* have said.

Okay.  So we both misunderstood each other.  Problem solved.

>> Really, I am not interested in talking about what the law says.  The law
>> may be right, or the law may be wrong.  I don't want to know what the
>> law thinks, I want to know what you think.
> 
> The legal aspect is an integral part of the answer to your question;
> it demonstrates that rights to privacy and to an element of control
> over one's personal information are not something I dreamt out of thin
> air. Whatever different views people may have on moral or ethical
> rights, there are situations where processing/storage/dissemination of
> personal information is the subject of an established body of
> legislation and legal precedent. All that is open to question is the
> extent and nature of privacy "rights" that may exist beyond the narrow
> set enshrined in law and the slightly wider set in documents such as
> ECHR.

The issue of law is not "an integral part of the answer" to the question
of what should be.  It is an integral part of the answer to what is.

If I were to ask you whether every day should be like Christmas, you
would likely respond that every day couldn't be like Christmas.  Sure,
every day couldn't be like Christmas, because of the way people are, but
that doesn't mean that that is the way things ought to be.

The reason I wanted you to discuss what you believe without regard to
the law is because the law is just another man's opinion.  I was asking
for only yours.

>> For the record, I don't believe that the key holder should upload the
>> key if the key's originator doesn't want
> 
> Seeing as we are framing this in terms of "rights," do you believe the
> holder has a right to upload in these circumstances but "should not"
> exercise that right?

It depends.  Are we talking about ethical rights or lawful rights.

I think the key holder has the ethical and lawful rights to use and
distribute the key if the key's originator doesn't forbid him.  If the
keyholder is forbidden, he has the lawful right, but not an ethical right.

But the key holder shouldn't have to ask the originator what he may do
with the key.  The key holder should, by default, have freedom.  But if
the originator doesn't want his key disseminated, he should say so.

And by the way, I apply this rule to me.

>> But I don't believe the originator has a /right/ to prevent the key
>> holder from sharing it.
> 
> Morally and ethically, I disagree. To use an example with phone
> numbers: say I had a personal friend who was an insurance broker with
> a teenaged daughter and elderly parents. I would suggest it's
> perfectly in order for me to pass to a third party my mate's business
> number. I definitely have no moral or ethical right to pass on his
> daughter's or parent's numbers or his personal number. Some would
> argue he has a right to give me a good beating if I did.

So a buddy's business number is public information, and you can share it
if you like.  But a /public/ key, which by default is considered
publicly shareable information, isn't.

I get it!  So it goes like this.  A business telephone number is
considered by most to be shareable, and because of that, it is ethically
shareable.  A public key is considered by most to be shareable, and
because of that, it isn't ethically shareable.

> In practical terms, the originator currently has no means to prevent
> this sharing, whether or not he has a right. In a certain narrow set
> of circumstances, there could be an argument for legal redress if the
> originator's personal information was shared.

Interesting.  "... [C]urrently has no means ...."  Sounds like you may
want some delicious DRM.

>> I don't believe the keyserver (or the church) is responsible for
>> another's actions.  But I wanted to see whether you thought the
>> keyserver should be responsible.
> 
> I also don't think a webhost should be deemed responsible if somebody
> posts unlawful material on a site or forum that happens to be hosted
> on their servers.

I agree. I don't believe in guilt by association, including
unintentional association.

>> The "rights" that you are asserting are similar to copyrights.  They
>> both restrict the copying and dissemination of the information
>> associated with them.
> 
> I cannot conceive of anything other than a presumption of privacy in
> respect of the personal information usually present in the UIDs, and
> have always been amazed at the number of people displaying it openly
> on their public keys.

I can't speak for other people, but I can for me.  Take a look at the
UIDs on my key, which is 0xC7C66ADF3DB6D884.  And also, take a look at
my master key 0x2188A92DF05045C2 that I signed the other key with.

Each of those e-mail addresses on my keys are ones that were already
associated with my real name.  I had given each of those addresses to
family, friends, associates, businesses, or a combination of them.  Not
one of those accounts had given me any anonymity, and each had been
shared outside of people I knew personally.

By uploading a key with those addresses on it, does that mean I gave up
privacy that I already had?  No.  I only made it possible for people to
now communicate with me with more privacy than they could have had before.

I wanted to use PGP within my existing situation.  If in the future I
want to go underground with a pseudonymous identity, then I will create
a PGP key specifically for it.  Or if I would like to have a
pseudonymous identity as well my real identity, then I would have a
separate key and identity that I would protect.

We all want an amount of anonymity and privacy.  But we each want a
different level of it.  I believe that many of us on this mailing list
want to use cryptography in association with our real identities.
Others don't.  They prefer anonymity.

I like anonymity, and I want it for most of my use of the Internet.  But
when I post to this mailing list or use those e-mail accounts listed on
my public keys, I want to associate them with my real identity.

>> So if the key holder can't ethically (not talking
>> about physically) share the key or modify it, then what "rights" does
>> the key holder have?
> 
> Any use whatsoever that in no way compromises the privacy of the
> originator's personal information.

That is to say none.  Well, other than the fact that he can encrypt a
message to the originator's key and use it in accordance with the key
owner's wishes.  Hansen said it best, "DRM of the honor system."

>> Your purpose for keyservers and my purpose for keyservers are different.
>>  I believe that keyservers should be for the public dissemination of
>> keys.  You believe that keyservers should be for the private
>> dissemination of keys.
> 
> I believe anybody with my details should be able to fetch my key from
> a server, but looking at my key should give them no extra personal
> information about me.

Private dissemination within a public venue.

>> What /you/ want is a keyserver that you can upload publicly and share
>> privately.  I want is a keyserver that I can upload publicly and share
>> publicly.
> 
>> Remember that they are called public keyservers.  And like a public
>> restroom, they can be used by deviant and saint alike.
> 
>> You shouldn't assail the public keyservers.
> 
> My intention was merely to challenge the statement "it's a good idea
> to upload your key to a keyserver," since I had seen such sentiments
> expressed without qualification various places previously but had
> always seen more good reasons against than in favour. I got into a
> much longer (and more interesting) discussion than expected.

/My way is true and holy.  Follow in my foot steps./

I think that you are wrong, because you seem to insist that others must
do as you do.  It would be equally wrong for me to insist that others
must do as I do.  You and I have different goals--remember that.

The user's purpose is what matters.  What does he want to accomplish?
Is it only secrecy of his messages?  Anonymity?  Who is he communicating
with?  What would meet his needs?

It is questions like these that must first be answered.  Because they
define the purpose.  If these questions aren't answered, either
consciously or unconsciously, then user has failed before he has started.

Why?  Because it is like traveling without first determining a
destination.  When purpose is defined, it is the director of action.
The user must yield to purpose if he is to succeed.  Then he must let
purpose to choose the path.

>> You should be calling for an additional kind of keyserver to fill
>> the niche of people like you.
> 
> I think it would work better if the option of increased privacy could
> be integrated into the mainstream servers.

It's unlikely to happen.  You are more likely to have the existing
keyservers integrate the functionality that you want if you first create
a special keyserver for your niche, and then, if it is popular enough,
talk them into integrating it.

That way you can have the kind of keyserver that you want, now, rather
than waiting years to, hopefully, succeed in changing the existing
keyservers.


-Paul

--
If you send me a message, assume that it will be read in transit. But if
you want some privacy, then please use my PGP key when sending me
messages.

+---------------------------------------------------------------------+
| PGP Key ID: 0x3DB6D884                                              |
| PGP Fingerprint: EBA7 88B3 6D98 2D4A E045  A9F7 C7C6 6ADF 3DB6 D884 |
+---------------------------------------------------------------------+

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100313/88bc77a4/attachment.pgp>


More information about the Gnupg-users mailing list