On 30 Apr 2023, at 14:42, Johan Wevers via Gnupg-users <gnupg-users@gnupg.org> wrote: > > On 2023-04-30 14:58, Andrew Gallagher via Gnupg-users wrote: >> Whether this is done voluntarily or under duress from their employer is an >> opsec issue, not a comsec one. > > If it is an ex-employer that might be more compicated.
Indeed. If this is in your threat model then don’t use work email addresses for personal communication, because encryption cannot protect you. >> The danger of an “ignore ADK” option is that it gives a false sense of >> security. It is already possible for an employer to require escrow of the >> decryption subkeys of their employees - ADK actually makes this process more >> transparent. > > That might be, but it is nowhere certain that this escrow will happen, > especially if they roll out adk's. You’re inverting the burden of proof here. The important consideration is that E2E can’t prove that a key *wasn’t* escrowed - so it’s much better for the software to make no claims about it than potentially misleading ones. A _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
