-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Saturday 27 February 2010 at 4:22:27 PM, in <mid:4b8946c3.5050...@sixdemonbag.org>, Robert J. Hansen wrote: > His position seems to have shifted. As the thread has progressed, the posts I'm replying to have shifted from "It is a good idea to send your key to the keyservers," to an assertion that it's also a good idea to publish other people's keys whether they want them published or not. > At some points he's said, > "What's not to agree with in my statement that not > everybody wants to put their keys on the keyservers?" > I fully agree with this. However, he also seems to be > advocating the advice of "generally speaking, it's a > good idea to put keys on the keyservers" be changed to > "generally speaking, it's not a good idea to share > public keys without the key owner's explicit > permission." > This is a pretty big change in the conventional wisdom. > Before I'll sign on to that I'll have to see some > strong reasoning, and I haven't. >> It seems (and I could be utterly wrong), that MFPA is >> saying "Not everyone wants their key on the >> keyservers, so please don't automatically send other >> people's keys there. If the key owner wants the key >> on the keyservers, he'll send it himself." That is exactly what I am saying. Most peoples keys contain personal contact details and the decision to place that information in the public domain rests solely with the person whose details they are. > MFPA has made it clear his objection applies to any > kind of sharing of public keys without the owner's > consent. It's not limited to the keyserver network. > He considers it the equivalent of passing on someone's > home address to a complete stranger. ("I would no more > deliberately publish somebody's key without their > consent than I would pass on their phone number or > address.") Pretty much, yes. Not forgetting the possible legal implications under data protection legislation in the EU and other places. > "the keyservers are generally a good idea, and > generally speaking they should be used, and people > should expect their public keys will wind up on them > sooner or later, either through their direct action or > through the accidents of others." > It is not universally applicable advice, but I think > that as far as general advice goes it's pretty good. I don't think it is bad advice when put like that. Maybe the person being advised could be pointed to a summary discussion of pros and cons, and of alternatives to keyservers - but that would probably be information overload. It is definitely good advice to bear in mind that your key may well end up on a keyserver whether you want it to or not. That will feed into the decision of what information to include in your UIDs. I find the attitude that it is OK to publicise somebody else's details without consent abhorrent, and suggestive of a disregard for other people's privacy. Given the importance of personal privacy, it seems to me that it's too easy to accidentally upload the wrong key to a server. I'm not sure if anything could usefully be changed to address this; even if people read confirmations before pressing "y" when using GnuPG, such mistakes are all-too-easy in other packages and front-ends as well. - -- Best regards MFPA mailto:expires2...@ymail.com The problem is not that we're paranoid; it's that we're not paranoid enough. -----BEGIN PGP SIGNATURE----- iQCVAwUBS4mDJqipC46tDG5pAQoYzgP/WP6E+qDRzfdwTVCXrcvXgONsVvXhCAQ8 3FJVYb/TeoLVcm26J88IBQvhECsoI+4RBcMgRVBwXTn0KU8E5PUF+4Or5d3NpuNp RkmuPPOlNUfj6xqMRkylm5pe9kYI8UvDnEGlEOy0XonDJ1Mfq/4aZHpJvy5NHmaK P+aRJ+1cjaE= =NiBO -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users