On 30/03/2015 8:28 am, Mike Ingle wrote: > >> Why should the user need to delete one, rather than just be told >> there were two and the one with such-and-such a fingerprint (or the >> one highlighted) signed this message? If it is just a string in a >> key UID rather than a functional email address, it will not >> necessarily be unique. > > There should not be two or more keys advertised for one email > address. That creates confusion, requires the recipient to have two > CM accounts, and increases the risk of bogus keys being used. Since > CM keys disappear from the key search results about a month after > the key owner stops advertising them, people should delete old or > bogus keys from their keyrings.
Now you're making an assumption that all email addresses are created for individuals. Yet you also see a possible future of businesses use it. So if it is ever used by a team of people who all send email from something like supp...@acme.com, you will encounter that scenario very quickly. Hence it would be better to simply have warnings of a potential conflict rather than forcing the recipient to only choose one sender. > Once the owner stops advertising the key (by using it in a CM > account), after a month or so the STORUTIL will remove it from the > servers. That depends on how often server operators run STORUTIL to > prune their server directories. Meaning that if you run your own server you don't have to maintain the account too much if it sees very little traffic (initially). Good. >> > Anyone can run a provider and I expect them to range from strictly >> > business to the dodgy darknet variety. > >> Using "darknet" services to enhance privacy does not equate to >> "dodgy". A person's communications are none of anybody else's >> business, apart from whoever they choose to communicate with. > > No offense to the darknet intended. I'm in favor of more widespread > Tor and I2P usage, that's why I built in support for it. Using CM > over hidden services is a good way to avoid social graph building. Not to mention a good way to circumvent mandatory communications surveillance and transnational corporations who believe they should be able to view all your communications to make sure you're not quoting a film without paying a tithe. > An example of a "dodgy darknet provider" would be if one of the > darknet markets decided to run a couple of covert CM servers (having > only Tor hidden service addresses) to facilitate vendor to customer > communication. That would solve the problem of some users not > encrypting their messages, and would allow people to communicate > even if the hidden website server is down. Heh. Yes, it would be a good solution from them, but from what I've seen they're just as lazy as the Stratfor employees (which is why Stratfor got cracked and the others got arrested). > Suppose a reporter on a "strictly business" CM provider wanted to > interview vendors of that darknet market. She could do so using CM > without needing a technical expert to handle the encryption, and > without either party being exposed to any risks. In the past that > has been difficult. > > It is also possible to run mailing lists and file servers over CM. I > am currently running a CM users' mailing list. Cool. There are definitely still aspects of it which need work, mainly on the user interface end from what I can see so far, but it answers so many problems (including Moxie Marlinspike's recent complaint about OpenPGP and forward secrecy) that it could make a real difference for a lot of people. I still think, though, that the better solution for the UI issues is to provide the specifications and an API so people can either adapt their existing favourite clients to support CM or write whole new ones. It's the sort of system which nmh would handle very well, for example. No doubt there would be assorted other types of solutions being adapted to it (I'd expect some people to treat it more like an IM program than an email program too, depending entirely on how they made the UI appear and behave). By all means, use your own client as an example, but if you want wider adoption then take advantage of others wanting to do their own things with it. Regards, Ben
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users