[Discuss] privacy with pgp keys

[effigies at riseup.net (Chris Markiewicz)]

On 09/10/2015 04:23 PM, Mayuresh Rajwadkar wrote:
> hi
> 
> http://pgp.mit.edu/pks/lookup?search=b5d1f0f4&op=index
> 
> That uploaded key as a MD5 and SHA224 of the ID aka email...
> One can verify that the email and fingerprint I provide will match up to
> those hashes..
> Its not entirely impossible...

If I understand you properly, when somebody wants to communicate with
you, you would tell them something like:

> Take my name and email address, and run the following commands:
> $ UID='NAME <EMAIL>'
> $ echo -n $UID | md5sum
> $ gpg --search-keys `echo -n $UID | sha224sum | sed -e 's/ .*//'`
>
> Check the MD5 sums are the same, and make a note of the UUID, so you
> can use it whenever you want to encrypt something (or put it in your
> enigmail rules)

At that point, why not simply use something like minilock
(https://minilock.io/), where you just publish a 46-character public key?

> I do appreciate Derek's concern...
> 
> In my example I have used a UUID, which is the ultimate but one can use a
> FirstName/LastName
> which can be a little bit liberal, than providing an email address,
> embedding a thumb-print jpeg, or
> a IRIS-scan jpeg, or providing some kind of  DNA fingerprint/sequence would
> be kind a overly  liberal  ? than
> just an email address, which is also possible... if privacy is no
> concern...

This honestly just sounds ill suited to PGP. Given that PGP isn't very
popular, and is already inconvenient to learn and use, I'm not sure that
augmenting it with an extra layer of work for anybody wishing to
communicate with you is really compelling. Avoiding spam seems like a
losing proposition, no matter what.