[Discuss] privacy with pgp keys
Chris Markiewicz
effigies at riseup.net
Thu Sep 10 18:42:25 EDT 2015
On 09/10/2015 04:23 PM, Mayuresh Rajwadkar wrote:
> hi
>
> http://pgp.mit.edu/pks/lookup?search=b5d1f0f4&op=index
>
> That uploaded key as a MD5 and SHA224 of the ID aka email...
> One can verify that the email and fingerprint I provide will match up to
> those hashes..
> Its not entirely impossible...
If I understand you properly, when somebody wants to communicate with
you, you would tell them something like:
> Take my name and email address, and run the following commands:
> $ UID='NAME <EMAIL>'
> $ echo -n $UID | md5sum
> $ gpg --search-keys `echo -n $UID | sha224sum | sed -e 's/ .*//'`
>
> Check the MD5 sums are the same, and make a note of the UUID, so you
> can use it whenever you want to encrypt something (or put it in your
> enigmail rules)
At that point, why not simply use something like minilock
(https://minilock.io/), where you just publish a 46-character public key?
> I do appreciate Derek's concern...
>
> In my example I have used a UUID, which is the ultimate but one can use a
> FirstName/LastName
> which can be a little bit liberal, than providing an email address,
> embedding a thumb-print jpeg, or
> a IRIS-scan jpeg, or providing some kind of DNA fingerprint/sequence would
> be kind a overly liberal ☺ than
> just an email address, which is also possible... if privacy is no
> concern...
This honestly just sounds ill suited to PGP. Given that PGP isn't very
popular, and is already inconvenient to learn and use, I'm not sure that
augmenting it with an extra layer of work for anybody wishing to
communicate with you is really compelling. Avoiding spam seems like a
losing proposition, no matter what.
More information about the Discuss
mailing list