NPR : E-Mail Encryption Rare in Everyday Use

Florian Weimer wrote:
> * Ben Laurie:
> 
>> I don't use PGP - for email encryption I use
enigmail, and getting
>> missing keys is as hard as pressing the "get
missing keys" button.
> 
> A step which has really profound privacy implications.
> 
> I couldn't find a PGP key server operator that
committed itself to
> keeping logs confidential and deleting them in a timely
manner (but I
> didn't look very hard, either).  Of course, since PGP
hasn't
> progressed as faster as our computing resources, I'm
nowadays in a
> position to run my own key server, but this is hardly a
solution to
> that kind of problem.

OK, I buy the problem, but until we do something about the
totally
non-anonymising properties of the 'net, revealing that I
want the public
key for some person seems to be quite minor - compared, for
example, to
revealing that I sent him email each time I do.

Cheers,

Ben.

-- 
http://www.apache-
ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he
can go if he
doesn't mind who gets the credit." - Robert Woodruff

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

Somebody, probably Florian, wrote:
> > I couldn't find a PGP key server operator that
committed itself to
> > keeping logs confidential and deleting them in a
timely manner (but I
> > didn't look very hard, either).

Keyservers are a peripheral issue in PGP -
important for convenience and for quick distribution of
revocation lists,
but they're very strongly just a tool for convenience.

Security through Inconvenience is one flipside of Security
through 
Obscurity, I suppose...

If you've got a threat model that includes traffic
analysis,
then either you and your unindicted co-conspirators
need to find other ways to exchange keys,
like printing them on business cards,
or find a keyserver that lets you suck down all the keys
so it's not obvious which key you're looking for,
or start using Tor to access the keyservers.

Or you could try using the Google Keyserver -
   just because there isn't one
doesn't mean you can't type in "9E94 4513 3983
5F70"
or 9383DE06   or   bobbob.com "PGP Key"
and see what's in Google's cache.





------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

* Bill Stewart:

> Or you could try using the Google Keyserver -
>   just because there isn't one
> doesn't mean you can't type in "9E94 4513 3983
5F70"
> or 9383DE06   or   bobbob.com "PGP
Key"
> and see what's in Google's cache.

What a peculiar advice.  We know for sure that Google logs
these
requests and stores them indefinitely. 8-(

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com