Re: Hide UID From Public Key Server By Poison Your Key?
> Uh -- how? Because I have associate not only my real name, but also my working email, and it is listed in my company's home page. If people are trying to follow you, they are not going with presumption of innocence, and too many things can help them justify their doubt -- such as your Timezone, language style, grammar and spell error. To make is worse, I was working in a very small industry and there is only 3 company provide such service, and I talked a lot about it in the past with my online identity. > This is a total dick move. Don't do this. You'll > make yourself a lot of enemies I do not have to pick any real name, at least not from any pgp user. I can just use a fake name generator, put those names under my company's domain, or just add my colleague's email to it -- they will never notice. Even if they do, they can only see their UID under a revoked key, and it looks just like other ancient garbage keys in the server. I will try to make it as harmless as possible. The only problem is how the pgp key server handles 2 public keys with duplicated timestamp. If I can not insert some fake UIDs before my real one, the whole thing will be pointless. Sent: Monday, January 15, 2018 at 3:13 PM From: "Robert J. Hansen"To: gnupg-users@gnupg.org Subject: Re: Hide UID From Public Key Server By Poison Your Key? > Let's say, you have accidentally associated your > real name to the key under your online name and > upload it to public key server, which allows > anyone to connect your online identity to the > person in real life. Uh -- how? There is no mechanism in the keyserver to do this. That's why you have to validate certificates you receive from the keyserver. The fact there's a UID named "Robert J. Hansen " on key 0xB44427C7 provides you with precisely *zero* evidence that I'm Rob Hansen or that Rob Hansen even exists. For all you know my name is Maurice Micklethorpe. > Since you can never remove > anything from the public key server, You are > wondering if you can add something to it -- for > example, add another 100 of UIDs with other > people's real name and emails so people can not > find out which one is yours, and append another > 100 of digital signature so people get tired > before figure out which one is from valid user. I rarely use language like this, but this time I think it's warranted: This is a total dick move. Don't do this. You'll make yourself a lot of enemies, and if you pick the wrong real names and emails, some of those people are pretty damn good at figuring out what's going on. Don't put real names and emails belonging to other people on your cert. It's *rude*. If someone goes looking for "Robert J. Hansen " I want them to see one cert is newest and I want them to use that one. If you go about putting my name and email address on your cert, I'm going to get cross. Again: this is a total dick move. Don't do this. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Remove public key from keyserver (was: Hide UID From Public Key Server By Poison Your Key?)
> That said I guess ideas like this have already > likely been discussed before? Good luck with that, the similar discussing has been hold years and nothing ever changed. Last time I checked, a discussing in 2005 was labeled as "Remove public key from keyserver No.74" Sent: Monday, January 15, 2018 at 4:14 PM From: "Leo Gaspard"To: gnupg-users@gnupg.org Subject: Remove public key from keyserver (was: Re: Hide UID From Public Key Server By Poison Your Key?) On 01/15/2018 08:13 AM, Robert J. Hansen wrote:>> Since you can never remove >> anything from the public key server, You are >> wondering if you can add something to it -- for >> example, add another 100 of UIDs with other >> people's real name and emails so people can not >> find out which one is yours, and append another >> 100 of digital signature so people get tired >> before figure out which one is from valid user. > > I rarely use language like this, but this time I think it's warranted: > > This is a total dick move. Don't do this. You'll make yourself a lot > of enemies, and if you pick the wrong real names and emails, some of > those people are pretty damn good at figuring out what's going on. > > Don't put real names and emails belonging to other people on your cert. > It's *rude*. If someone goes looking for "Robert J. Hansen > " I want them to see one cert is newest and I want > them to use that one. If you go about putting my name and email address > on your cert, I'm going to get cross. > > Again: this is a total dick move. Don't do this. That said, it raises the interesting question of revocation of data on keyservers (and the associated legal issues in operating keyservers, as the operator is supposed to comply with requests to remove personally-identifiable information from it). I was just thinking, would it be possible to have a tag (a UID with special meaning, like “please-remove...@srs-keyservers.net”?) for which the signature would be verified by the keyserver, and that would cause it to drop everything from its storage apart from this tag? This way the “please remove me” tag would just naturally propagate across keyservers, and all up-to-date-enough keyservers will drop all the data associated with the key except the tag and the master public key (basically, the strict minimum to check the said tag). That said I guess ideas like this have already likely been discussed before? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Hide UID From Public Key Server By Poison Your Key?
Hi all, For of all, I am sorry for using a temporary email address. Let's say, you have accidentally associated your real name to the key under your online name and upload it to public key server, which allows anyone to connect your online identity to the person in real life. Since you can never remove anything from the public key server, You are wondering if you can add something to it -- for example, add another 100 of UIDs with other people's real name and emails so people can not find out which one is yours, and append another 100 of digital signature so people get tired before figure out which one is from valid user. Since it is easy to fake system time for PGP, you can mix my real UID in middle of all these. The problem is, how will the public key server handle 2 keys with duplicated timestamp? Just an idea, it might be more efficient if I just commit online suicide (throw away my current identity). Best regret Jason ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Hide UID From Public Key Server By Poison Your Key?
Hi all, For of all, I am sorry for using a temporary email address. Let's say, you have accidentally associated your real name to the key under your online name and upload it to public key server, which allows anyone to connect your online identity to the person in real life. Since you can never remove anything from the public key server, You are wondering if you can add something to it -- for example, add another 100 of UIDs with other people's real name and emails so people can not find out which one is yours, and append another 100 of digital signature so people get tired before figure out which one is from valid user. Since it is easy to fake system time for PGP, you can mix my real UID in middle of all these. The problem is, how will the public key server handle 2 keys with duplicated timestamp? Just an idea, it might be more efficient if I just commit online suicide (throw away my current identity). Best regret Jason ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users