[Discuss] privacy with pgp keys

Mayuresh Rajwadkar m.m.rajwadkar at ieee.org
Thu Sep 10 11:16:54 EDT 2015 

hi All,

In view of the upcoming PGP keysigning, I would like to see if we can
discuss the top of 'privacy with pgp keys'

I found these two discussions online

http://crypto.stackexchange.com/questions/9403/how-can-i-remove-my-personal-data-from-my-pgp-public-key
http://crypto.stackexchange.com/questions/9388/is-my-identity-exposed-when-publishing-my-public-key-or-encrypting-with-pgp

Has anyone on the list thought of this before, or has used some
similar/alternative strategies to achieve the same result.

Mayuresh

PS: Please ignore the previous post, gmail UI does not show me the subject
by default.
I wanted to add the conversation I had with John to the discussion.
I am not sure if anyone would want to sign a key based just off a
fingerprint...



---------- Forwarded message ----------
From: John Abreau <jabr at blu.org>
Date: Fri, Aug 21, 2015 at 3:59 PM
Subject: Re: hi...
To: Mayuresh Rajwadkar <m.m.rajwadkar at ieee.org>


I'm not aware of any such efforts, but I haven't been looking for them.

If you ask these questions on our mailing list, there's a good chance of
getting responses from people actively involved in such efforts, if those
efforts exist.

On Fri, Aug 21, 2015 at 9:30 AM, Mayuresh Rajwadkar <m.m.rajwadkar at ieee.org>
wrote:

> hi
>
> I am not actually questioning the key-signing process...
> I understand that, and I am okay with it as of today..
>
> I am wondering 5/10/15 years from now will it be the same as now...
> Is there any effort/development in process/or possible which could add
> some 'privacy' to the gpg/pgp conventions....
>
> Mayuresh
>
>
>
>
> On Fri, Aug 21, 2015 at 2:25 AM, John Abreau <jabr at blu.org> wrote:
>
>> Hi Mayuresh.
>>
>> We've never had an issue with spam in relation to our keysignings, and
>> our process assumes at least one valid email address on each key so
>> attendees can send the keys they sign back to the person who owns each key.
>>
>> Attendees sign the keys after the meeting; our process during the meeting
>> simply verifies that attendees have valid IDs proving they are who they say
>> they are, and that their key IDs and fingerprints are listed correctly on
>> the check sheet.
>>
>> The process we recommend to attendees for signing keys is to sign each
>> key and encrypt the result so that only the person with that key can
>> retrieve the signature, and then email the encrypted, signed key to the
>> email address associated with the key in order to prove that the person who
>> controls that key also controls that email address.
>>
>> Without an email address in the key, our process would not work.
>>
>>
>> On Thu, Aug 20, 2015 at 7:49 PM, Mayuresh Rajwadkar <
>> m.m.rajwadkar at ieee.org> wrote:
>>
>>> hi John,
>>>
>>> I really enjoyed the last meeting.
>>>
>>> here is the problem I was trying to describe.
>>>
>>> when we create pgp keys we use our email address as a ID, to publish the
>>> key...
>>> When we upload the key to a keyserver our email address becomes public
>>> on the internet
>>> and open to spam&co
>>>
>>> I had read a article/post on one of the forums which has suggested to
>>> use a
>>> RFC4122 to use as a primary ID on the pgp keypair, and have that
>>> uploaded to the server
>>> so that it does not have email information in it. The same pgp could
>>> then have additional uid's
>>> which could be kept with the keypair but not uploaded
>>> I dont know where I read this at, but I am sure someone must have given
>>> some thought on the
>>> topic, and may be there are other ways around it.
>>>
>>> I was wondering if you guys have any other novel method wherein the
>>> email-address could be
>>> sort of kept secret from spam&co.
>>>
>>> Mayuresh
>>>
>>>
>>> On Thu, Aug 20, 2015 at 7:32 PM, John Abreau <jabr at blu.org> wrote:
>>>
>>>> Hi Mayuresh.
>>>>
>>>>
>>>> What were you asking me yesterday?
>>>>
>>>> We normally have a talk on some aspect of security, prior to the
>>>> keysigning at the end of the meeting.
>>>>
>>>> At the moment, the guy who usually does the talk has a prior commitment
>>>> and cannot be at the meeting, and an alternative speaker I had invited to
>>>> replace him replied this afternoon that he's also away on the day of the
>>>> meeting.
>>>>
>>>> I'm still trying to find another speaker for the meeting.
>>>>
>>>>
>>>>
>>>> On Thu, Aug 20, 2015 at 5:26 PM, Mayuresh Rajwadkar <
>>>> m.m.rajwadkar at ieee.org> wrote:
>>>>
>>>>> hi John,
>>>>>
>>>>> I was the guy trying to talk to you yesterday abou the PGP signing,
>>>>> and you were not able to hear..
>>>>>
>>>>> https://www.linkedin.com/in/mayur0122
>>>>>
>>>>>
>>>>> Regards
>>>>> Mayuresh
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> John Abreau / Executive Director, Boston Linux & Unix
>>>> Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
>>>> PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6
>>>>
>>>>
>>>
>>
>>
>> --
>> John Abreau / Executive Director, Boston Linux & Unix
>> Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
>> PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6
>>
>>
>


-- 
John Abreau / Executive Director, Boston Linux & Unix
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6

More information about the Discuss mailing list