-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey All!
Question for Torbirdy folks - what is the rationale for using - --throw-keyids in the gpg command-line when using Enigmail together with Torbirdy (looks like it was initially committed in d1d5c28ade6b28693b1f2b1cc35fe4d17eb02ed0, and the commit log is nothing more than "--throw-keyids" :))? I see the code comment mentions that --hidden-recipient for each person would be better/preferred (though I think throw-keyids is identical if you're doing hidden-recipient for every recipient), but, again, I'm having a hard time understanding the rationale for doing either of these. The recipients of the message are already clearly disclosed in the message headers, and Enigmail's default behavior is to use hidden-recipient for any BCC'd recipients. I would argue that forcing all recipients to be hidden a) makes Torbirdy more fingerprintable because it's a non-standard behavior and b) is a royal PITA for recipients of encrypted messages from Torbirdy users if those recipients have a lot of candidate private keys to test decryption with. Reason b), in case you can't guess, is why I came across this in the first place. :) If the goal is to hide the sender's encrypt-to key and thus protect their identity, --hidden-encrypt-to is actually the option that would seem to make the most sense: http://www.gnupg.org/documentation/manuals/gnupg-devel/GPG-Key-related-Options.html Please, for the sanity of people receiving encrypted mail from Torbirdy users, reconsider defaulting to --throw-keyids, or at least educate me on the aspect of protection it provides that I'm missing. :) Thanks, Tim - -- Tim Wilde, Software Engineer, Team Cymru, Inc. twi...@cymru.com | +1-847-378-3333 | http://www.team-cymru.org/ -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJQBwweAAoJED1BdOFPDWdb4igP/jmQRtIPJb8owmXrX9Njd7pE xo95GMff5XTeN9nd5dq76b20Jn0fkg9ZAAGcJx+cPxvzjHLFHARZlZinhERp0lKf sGSSGbslZJp8DWkmYbDszBs+9euA90RSItGxmeLMt7yWZt6UkH/Icp7pp0c77Efu NHIJ+doNyTlsH4Y8fHl+qVnpHGiIi2Ib8C2XgPikS5UCXLitlVAt5sPgffTSMJMD LdleK60D6aIYIaCL+9ms+tEmCQcKyJFQL0dWbIUbeRo/iyfxdL3C4baOp6SdcEL/ yy0xWMbNAIuIqPex12EBZ6eF3rSmPDnhx2ygYOOSVhOsPfx1UYbwxZVXR0+fx+sX Ij1dADP2TRAjIETgXrjjdHfS4P9N8AlLqrpZf0iT3ddwiei500Ef45PMZk0YWWC3 L2XttO2se4aEwvOd/nhGBKt9vaDzWu4zShxXgCV8CFVT0GpW08wba43kQ5ZRP7Ii GrJOvqozCoF5L2d2JYKMimTb53yH7sAtqb9csnNPqFXtDK8o/Ar0DpDmtmGUhed8 fuD42N3LGnXUxvoeYZsWf6v6F41WyEy8CNH+ADaMsog/zYUwWDMrqcu9/gwf5TU1 jBE/+ZUO1C/FwNuHEWae3giD7OiyxuGle8W9w3NPzcSHe6s5b5+hcx0e2cyr8CE6 sfb//l6IQf+wYlvkNnat =7o+a -----END PGP SIGNATURE----- _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk