Hi Paul
On Monday 8 March 2010 at 7:44:42 AM, you wrote: > I am assuming that a person inhabited with the desire to protect his > personal information would analyze the safety of using a UID with the > information that he wants to protect. I think you may be assuming an awful lot, especially in the case where the person has a desire for privacy rather than a life-or-death *need* for privacy. Such a person may well be less rigorous than yourself in their analysis and investigations. We *are* talking about a technology created for privacy (http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html ). > A person worried about the disclosure of his personal information is > unlikely to say, "Huh. I guess I don't have an option concerning my > privacy." Unless their research reveals they *can* usefully create and circulate a key that omits their name/email address, they are weighing the privacy benefit of encrypting their mail against the privacy danger of using a key that contains those details. That isn't quite the same as "I don't have an option." > I am also assuming that the user has intelligence and judgment. A useful combination, sadly not common enough (-; > I mean that he must be able to realize that he needs to be competent > in the tool that he is using. How could a person of judgment believe > that he could have the minimum knowledge of how to use cryptography > and his OpenPGP tool, and believe that he will successfully protect > his privacy? Even intelligence and judgment together do not necessarily lead to perfect decisions. The point when the user *thinks* he has sufficient knowledge or competence does not automatically coincide with the point at which this is true. > The person concerned with the releasing of his personal information > might make the mistakes that you have said. But the kind of person that > you are talking about has minimal knowledge in OpenPGP and the tools to > implement it and has less than adequate reasoning. I would expect an inexperienced user of *anything* to have limited knowledge compared to an "expert," or at least to have not yet fully reflected on and internalised the information he has acquired. The kind of person I have described would clearly have made a poor call in deciding they had done sufficient reading around the subject, but I'm not convinced I have outlined a person of less than adequate reasoning ability. > I have been naive before. But I didn't begin using GnuPGP while I was > still naive about it. I studied how cryptography and OpenPGP worked, > how to use gpg, and how to use it with e-mail and files. Many people are less patient than you must be; I have heard numerous people advocate the "ready, fire,aim" approach to life. > I won't claim that I am better or more knowledgeable than some of the > other smart people on this mailing list, but I will say that I am smart > enough to teach others how it works. Actually, it was my goal to > understand the concepts and the tools well enough to teach others. > You don't have to have the most understanding in order to teach others, > but you do have to have /enough/ understanding in what you want to teach > in order to teach others. Yes, in my first two years at university most staff were assigned to teach topics outside their primary field of expertise, and switched around every year. The stated idea was to enable undergraduates to be taught by people who had recently learnt (or re-learnt) the same material, who would be more in tune with what a new learner would find difficult than the "expert" who, having been fully conversant with the material for several decades, would see it all as trivial. > That is what I was saying in the previous posting. Someone who desires > privacy will do what it takes to get it. That includes dispelling his > naivety with knowledge. Which is an ongoing process. An individual desirous of privacy is likely to continue finding new threats and/or new protections for as long as they care to keep looking. > As for the person not realizing how easy it would be to accidentally > upload a public key to a keyserver, I was never that naive. I was aware > of it from the beginning. My key wasn't on the keyservers, initially (I > chose to upload it later). But I knew that if I was careless it could > wind up there. Were you aware because of something you read, or because of experimentation? When first trying PGP in 2003, I read that uploading your key to a server was a Good Thing but found no evidence to support that assertion. I had no desire to publish my key to a server so I had no reason to experiment with how to do it. I was genuinely shocked when, much later, I found out how easy it was to upload keys and considered the likelihood of mistakes. Fortunately, I had created my key without including my name or email address (because I could not see how including them could aid privacy). > Maybe it is that I am an above average user. Maybe. Maybe it is just > that I exercised judgment. Maybe I expect others to do the same. Maybe. -- Best regards MFPA mailto:expires2...@ymail.com Life is a holiday. In the same way that glass is a liquid. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users