Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Fwd: hi...



hi All,

In view of the upcoming PGP keysigning, I would like to see if we can
discuss the top of 'privacy with pgp keys'

I found these two discussions online

http://crypto.stackexchange.com/questions/9403/how-can-i-remove-my-personal-data-from-my-pgp-public-key
http://crypto.stackexchange.com/questions/9388/is-my-identity-exposed-when-publishing-my-public-key-or-encrypting-with-pgp

Has anyone on the list thought of this before, or has used some
similar/alternative strategies to achieve the same result.

Mayuresh

---------- Forwarded message ----------
From: John Abreau <jabr at blu.org>
Date: Fri, Aug 21, 2015 at 3:59 PM
Subject: Re: hi...
To: Mayuresh Rajwadkar <m.m.rajwadkar at ieee.org>


I'm not aware of any such efforts, but I haven't been looking for them.

If you ask these questions on our mailing list, there's a good chance of
getting responses from people actively involved in such efforts, if those
efforts exist.

On Fri, Aug 21, 2015 at 9:30 AM, Mayuresh Rajwadkar <m.m.rajwadkar at ieee.org>
wrote:

> hi
>
> I am not actually questioning the key-signing process...
> I understand that, and I am okay with it as of today..
>
> I am wondering 5/10/15 years from now will it be the same as now...
> Is there any effort/development in process/or possible which could add
> some 'privacy' to the gpg/pgp conventions....
>
> Mayuresh
>
>
>
>
> On Fri, Aug 21, 2015 at 2:25 AM, John Abreau <jabr at blu.org> wrote:
>
>> Hi Mayuresh.
>>
>> We've never had an issue with spam in relation to our keysignings, and
>> our process assumes at least one valid email address on each key so
>> attendees can send the keys they sign back to the person who owns each key.
>>
>> Attendees sign the keys after the meeting; our process during the meeting
>> simply verifies that attendees have valid IDs proving they are who they say
>> they are, and that their key IDs and fingerprints are listed correctly on
>> the check sheet.
>>
>> The process we recommend to attendees for signing keys is to sign each
>> key and encrypt the result so that only the person with that key can
>> retrieve the signature, and then email the encrypted, signed key to the
>> email address associated with the key in order to prove that the person who
>> controls that key also controls that email address.
>>
>> Without an email address in the key, our process would not work.
>>
>>
>> On Thu, Aug 20, 2015 at 7:49 PM, Mayuresh Rajwadkar <
>> m.m.rajwadkar at ieee.org> wrote:
>>
>>> hi John,
>>>
>>> I really enjoyed the last meeting.
>>>
>>> here is the problem I was trying to describe.
>>>
>>> when we create pgp keys we use our email address as a ID, to publish the
>>> key...
>>> When we upload the key to a keyserver our email address becomes public
>>> on the internet
>>> and open to spam&co
>>>
>>> I had read a article/post on one of the forums which has suggested to
>>> use a
>>> RFC4122 to use as a primary ID on the pgp keypair, and have that
>>> uploaded to the server
>>> so that it does not have email information in it. The same pgp could
>>> then have additional uid's
>>> which could be kept with the keypair but not uploaded
>>> I dont know where I read this at, but I am sure someone must have given
>>> some thought on the
>>> topic, and may be there are other ways around it.
>>>
>>> I was wondering if you guys have any other novel method wherein the
>>> email-address could be
>>> sort of kept secret from spam&co.
>>>
>>> Mayuresh
>>>
>>>
>>> On Thu, Aug 20, 2015 at 7:32 PM, John Abreau <jabr at blu.org> wrote:
>>>
>>>> Hi Mayuresh.
>>>>
>>>>
>>>> What were you asking me yesterday?
>>>>
>>>> We normally have a talk on some aspect of security, prior to the
>>>> keysigning at the end of the meeting.
>>>>
>>>> At the moment, the guy who usually does the talk has a prior commitment
>>>> and cannot be at the meeting, and an alternative speaker I had invited to
>>>> replace him replied this afternoon that he's also away on the day of the
>>>> meeting.
>>>>
>>>> I'm still trying to find another speaker for the meeting.
>>>>
>>>>
>>>>
>>>> On Thu, Aug 20, 2015 at 5:26 PM, Mayuresh Rajwadkar <
>>>> m.m.rajwadkar at ieee.org> wrote:
>>>>
>>>>> hi John,
>>>>>
>>>>> I was the guy trying to talk to you yesterday abou the PGP signing,
>>>>> and you were not able to hear..
>>>>>
>>>>> https://www.linkedin.com/in/mayur0122
>>>>>
>>>>>
>>>>> Regards
>>>>> Mayuresh
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> John Abreau / Executive Director, Boston Linux & Unix
>>>> Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
>>>> PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6
>>>>
>>>>
>>>
>>
>>
>> --
>> John Abreau / Executive Director, Boston Linux & Unix
>> Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
>> PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6
>>
>>
>


-- 
John Abreau / Executive Director, Boston Linux & Unix
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org