[Discuss] privacy with pgp keys

[abreauj at gmail.com (John Abreau)]

At a keysigning party, the process is to verify each participant's
identity, and verify that the key they claim ownership of is actually under
their control. Each participant verifies their key id and fingerprint, and
then all participants examine each others' photo ids, and afterward each
participant signs the keys they feel confident about and emails each signed
key to the corresponding person, encrypted so that only the owner of the
key can retrieve the signature.

If a key has been stripped of all traces of the owner's identity, I don't
see how it would be possible to adequately verify trust of that key during
the keysigning party.

On Thu, Sep 10, 2015 at 11:16 AM, Mayuresh Rajwadkar <m.m.rajwadkar at ieee.org
> wrote:

> hi All,
>
> In view of the upcoming PGP keysigning, I would like to see if we can
> discuss the top of 'privacy with pgp keys'
>
> I found these two discussions online
>
>
> http://crypto.stackexchange.com/questions/9403/how-can-i-remove-my-personal-data-from-my-pgp-public-key
>
> http://crypto.stackexchange.com/questions/9388/is-my-identity-exposed-when-publishing-my-public-key-or-encrypting-with-pgp
>
> Has anyone on the list thought of this before, or has used some
> similar/alternative strategies to achieve the same result.
>
> Mayuresh
>
> PS: Please ignore the previous post, gmail UI does not show me the subject
> by default.
> I wanted to add the conversation I had with John to the discussion.
> I am not sure if anyone would want to sign a key based just off a
> fingerprint...
>
>
>
> ---------- Forwarded message ----------
> From: John Abreau <jabr at blu.org>
> Date: Fri, Aug 21, 2015 at 3:59 PM
> Subject: Re: hi...
> To: Mayuresh Rajwadkar <m.m.rajwadkar at ieee.org>
>
>
> I'm not aware of any such efforts, but I haven't been looking for them.
>
> If you ask these questions on our mailing list, there's a good chance of
> getting responses from people actively involved in such efforts, if those
> efforts exist.
>
> On Fri, Aug 21, 2015 at 9:30 AM, Mayuresh Rajwadkar <
> m.m.rajwadkar at ieee.org>
> wrote:
>
> > hi
> >
> > I am not actually questioning the key-signing process...
> > I understand that, and I am okay with it as of today..
> >
> > I am wondering 5/10/15 years from now will it be the same as now...
> > Is there any effort/development in process/or possible which could add
> > some 'privacy' to the gpg/pgp conventions....
> >
> > Mayuresh
> >
> >
> >
> >
> > On Fri, Aug 21, 2015 at 2:25 AM, John Abreau <jabr at blu.org> wrote:
> >
> >> Hi Mayuresh.
> >>
> >> We've never had an issue with spam in relation to our keysignings, and
> >> our process assumes at least one valid email address on each key so
> >> attendees can send the keys they sign back to the person who owns each
> key.
> >>
> >> Attendees sign the keys after the meeting; our process during the
> meeting
> >> simply verifies that attendees have valid IDs proving they are who they
> say
> >> they are, and that their key IDs and fingerprints are listed correctly
> on
> >> the check sheet.
> >>
> >> The process we recommend to attendees for signing keys is to sign each
> >> key and encrypt the result so that only the person with that key can
> >> retrieve the signature, and then email the encrypted, signed key to the
> >> email address associated with the key in order to prove that the person
> who
> >> controls that key also controls that email address.
> >>
> >> Without an email address in the key, our process would not work.
> >>
> >>
> >> On Thu, Aug 20, 2015 at 7:49 PM, Mayuresh Rajwadkar <
> >> m.m.rajwadkar at ieee.org> wrote:
> >>
> >>> hi John,
> >>>
> >>> I really enjoyed the last meeting.
> >>>
> >>> here is the problem I was trying to describe.
> >>>
> >>> when we create pgp keys we use our email address as a ID, to publish
> the
> >>> key...
> >>> When we upload the key to a keyserver our email address becomes public
> >>> on the internet
> >>> and open to spam&co
> >>>
> >>> I had read a article/post on one of the forums which has suggested to
> >>> use a
> >>> RFC4122 to use as a primary ID on the pgp keypair, and have that
> >>> uploaded to the server
> >>> so that it does not have email information in it. The same pgp could
> >>> then have additional uid's
> >>> which could be kept with the keypair but not uploaded
> >>> I dont know where I read this at, but I am sure someone must have given
> >>> some thought on the
> >>> topic, and may be there are other ways around it.
> >>>
> >>> I was wondering if you guys have any other novel method wherein the
> >>> email-address could be
> >>> sort of kept secret from spam&co.
> >>>
> >>> Mayuresh
> >>>
> >>>
> >>> On Thu, Aug 20, 2015 at 7:32 PM, John Abreau <jabr at blu.org> wrote:
> >>>
> >>>> Hi Mayuresh.
> >>>>
> >>>>
> >>>> What were you asking me yesterday?
> >>>>
> >>>> We normally have a talk on some aspect of security, prior to the
> >>>> keysigning at the end of the meeting.
> >>>>
> >>>> At the moment, the guy who usually does the talk has a prior
> commitment
> >>>> and cannot be at the meeting, and an alternative speaker I had
> invited to
> >>>> replace him replied this afternoon that he's also away on the day of
> the
> >>>> meeting.
> >>>>
> >>>> I'm still trying to find another speaker for the meeting.
> >>>>
> >>>>
> >>>>
> >>>> On Thu, Aug 20, 2015 at 5:26 PM, Mayuresh Rajwadkar <
> >>>> m.m.rajwadkar at ieee.org> wrote:
> >>>>
> >>>>> hi John,
> >>>>>
> >>>>> I was the guy trying to talk to you yesterday abou the PGP signing,
> >>>>> and you were not able to hear..
> >>>>>
> >>>>> https://www.linkedin.com/in/mayur0122
> >>>>>
> >>>>>
> >>>>> Regards
> >>>>> Mayuresh
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> John Abreau / Executive Director, Boston Linux & Unix
> >>>> Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID
> 0x920063C6
> >>>> PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6
> >>>>
> >>>>
> >>>
> >>
> >>
> >> --
> >> John Abreau / Executive Director, Boston Linux & Unix
> >> Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
> >> PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6
> >>
> >>
> >
>
>
> --
> John Abreau / Executive Director, Boston Linux & Unix
> Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
> PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
Email: abreauj at gmail.com / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6