-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi John
On Saturday 27 February 2010 at 10:21:20 PM, you wrote: > MFPA wrote: >> My contention is that the de >> facto standard of revealing email addresses in key UIDs could actually be >> mitigating *against* the use of encrypted mail, by discouraging people from >> publishing keys or even from using openPGP in the first place. > An /interesting/ thesis, However, to be taken seriously you need to back it up > with more than conjecture. There are plenty of obstacles to the widespread use > of encryption in the computing literature without grasping at straws to > create more. I'm not creating an extra obstacle. I'm highlighting an existing obstacle about which I have consistently found almost no discussion. I refer you to a thread at http://marc.info/?l=gnupg-devel&m=125471247807096&w=2 where the OP proposes removing this obstacle by (optionally) hashing the email address in the UID and particularly the final post at http://www.imc.org/ietf-openpgp/mail-archive/msg36986.html which covers issues other than the OP's perceived spam threat. >> There is a widespread perception (rightly or wrongly) that exposing your >> email address publicly on the internet will lead to that email address being >> spammed into oblivion. The new openPGP user is exhorted to create a key pair >> using their name and email address as the UID, and to upload this key to a >> server. That advice, coupled with the default configuration's enforcement of >> including an email address (or something that appears to be one) clearly has >> the potential to scare potential users from experimenting with openPGP in the >> first place. > Widespread perception? Indeed? Please quantify. Before you even look at real privacy concerns, a Google search for "avoid spam" (without quotes) says there are over 38 million matches. That's pretty widespread, even if some of those 38 million are promoting spam filters and other such measures. > Odds on users will get more SPAM from asking a question > on a public mailing list such as this one than they will from that > attributable > to keyservers. Assuming that SPAM (rather than privacy) worries are the obstacle in their mind, postings saying that keyserver spam is not an issue will not be all that a potential user researching the matter will find. They could go to a keyserver, search on a fairly common name, and in a matter of seconds, display a page containing hundreds of email addresses. Then, finding http://www.mail-archive.com/cypherpu...@cyberpass.net/msg01815.html would likely concern them, especially when they read the line "It used to be possible to extract keys from the PGP keyservers, which meant that a low-tech spammer could nab 5-20000 email addresses" They might also find http://marc.info/?l=gnupg-users&m=110369132905296&w=2 where somebody describes creating and uploading a key with a freshhly-crafted spamgourmet address, which started receiving spam the following day. > "(rightly or wrongly)" Or imaginary? Do I imagine that I can do a search and find seemingly endless advice about munging, temporary/disposible addresses, care over giving out your address or posting it to a website or newsgroup? I'm sure I do not. Whether right or wrong, the perception definitely exists and has given rise to writings in many quarters.. > Rather than trying to convince us of new > "obstacles" without providing any evidence, you may wish to review what the > HCI > folks say are the obstacles: "Why Johnny Can't Encrypt"[1], "Why Johnny Still > Can't Encrypt"[2], "How to Make Secure Email Easier to Use"[3], and a personal > favorite, "Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted > E-Mail"[4]. Interesting. I had already read [1] and [2]. My would-be user reads up about openPGP. He finds that it's the de facto standard for his key UID to show his email address. The software user guides and the community recommend the key be published to the keyservers. That sets his alarm-bells ringing; he gives up before even reaching any of the documented obstacles. > [...] > I've seen errant ideas criticized, not any person. Skimming back over some posts in the thread, I still see it. But, hey, no harm done. > I think most of us agree that the publishing of another person's key(s) is > mostly attributable to a) accident, or b) ignorance. I don't think malice > normally is a factor. I suspect that's true, although the only time it has so far happened to me was an act of malice. - -- Best regards MFPA mailto:expires2...@ymail.com When you're caffeinated, all is right with the world -----BEGIN PGP SIGNATURE----- iQCVAwUBS4qX1qipC46tDG5pAQoeFAP/RtIbq55tJmxoqrtF2v4SOnMmhYTPxJcq GwMzZDWntwNxkbp7MklvlBNT4Ll0OYYdp/emG4f04aMSNPXcCIXu3RWRo1U3nuzV 5MKq5djXkZSkYSKqkrsVFtWsiUrqRdEY97jiDDe+Ja+7IL/786yGtNdUfjnlthQz WhESJPdwFO8= =bWtL -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users