[Discuss] privacy with pgp keys

[dsr at randomstring.org (Dan Ritter)]

On Thu, Sep 10, 2015 at 04:23:42PM -0400, Mayuresh Rajwadkar wrote:
> hi
> 
> http://pgp.mit.edu/pks/lookup?search=b5d1f0f4&op=index
> 
> That uploaded key as a MD5 and SHA224 of the ID aka email...
> One can verify that the email and fingerprint I provide will match up to
> those hashes..
> Its not entirely impossible...
> 
> I do appreciate Derek's concern...
> 
> In my example I have used a UUID, which is the ultimate but one can use a
> FirstName/LastName
> which can be a little bit liberal, than providing an email address,
> embedding a thumb-print jpeg, or
> a IRIS-scan jpeg, or providing some kind of  DNA fingerprint/sequence would
> be kind a overly  liberal  ? than
> just an email address, which is also possible... if privacy is no
> concern...

I don't think you understand.

A PGP key pair is an identity.

If you want to link that identity to you, a legal person of some
kind, then you can go through a key-signing party, or several
equivalents, in which you prove to people who you are and that
you control the key pair, and they attest to that.

If you don't want to link the key identity to you, the person,
then you simply don't go through a key-signing party.

If you want to make several key pairs and only link one of them
to you, you can do that by only bringing the one you want linked
to the key-signing party.

-dsr-