[Discuss] privacy with pgp keys

John Abreau abreauj at gmail.com
Thu Sep 10 18:53:00 EDT 2015 

I have to agree. It's not just ill-suited to PGP, it's also a major
obstacle to verifying trust at a keysigning party. It may be workable
one-on-one where the other party is strongly motivated to verify your key,
but it's far to onerous for a mass keysigning event.



On Thu, Sep 10, 2015 at 6:42 PM, Chris Markiewicz <effigies at riseup.net>
wrote:

> On 09/10/2015 04:23 PM, Mayuresh Rajwadkar wrote:
> > hi
> >
> > http://pgp.mit.edu/pks/lookup?search=b5d1f0f4&op=index
> >
> > That uploaded key as a MD5 and SHA224 of the ID aka email...
> > One can verify that the email and fingerprint I provide will match up to
> > those hashes..
> > Its not entirely impossible...
>
> If I understand you properly, when somebody wants to communicate with
> you, you would tell them something like:
>
> > Take my name and email address, and run the following commands:
> > $ UID='NAME <EMAIL>'
> > $ echo -n $UID | md5sum
> > $ gpg --search-keys `echo -n $UID | sha224sum | sed -e 's/ .*//'`
> >
> > Check the MD5 sums are the same, and make a note of the UUID, so you
> > can use it whenever you want to encrypt something (or put it in your
> > enigmail rules)
>
> At that point, why not simply use something like minilock
> (https://minilock.io/), where you just publish a 46-character public key?
>
> > I do appreciate Derek's concern...
> >
> > In my example I have used a UUID, which is the ultimate but one can use a
> > FirstName/LastName
> > which can be a little bit liberal, than providing an email address,
> > embedding a thumb-print jpeg, or
> > a IRIS-scan jpeg, or providing some kind of  DNA fingerprint/sequence
> would
> > be kind a overly  liberal  ☺ than
> > just an email address, which is also possible... if privacy is no
> > concern...
>
> This honestly just sounds ill suited to PGP. Given that PGP isn't very
> popular, and is already inconvenient to learn and use, I'm not sure that
> augmenting it with an extra layer of work for anybody wishing to
> communicate with you is really compelling. Avoiding spam seems like a
> losing proposition, no matter what.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
Email: abreauj at gmail.com / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6

More information about the Discuss mailing list