[Enigmail] From Circumvention

Rainer Blome rainer.blome at gmx.de
Sat Mar 7 01:02:28 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 06.03.2015 um 21:37 schrieb Phil Stracchino:
> On 03/06/15 15:16, David wrote:
>> I am confused by this request. What difference does it make if 
>> 'someone else' knows whose public is on your public keyring?
> 
> If they know whose public keys are on your keyring, they know who
> you talk to.  You may not wish them to know this.  Depending on who
> you are and who you talk to, their knowing it could be very
> dangerous to you.

That is what I mean.

Security is a matter of cost and benefit.
Against an adversary who can monitor all global smtp traffic,
this would not make a difference, because such an adversary
already knows who everyone is connected to.
But there are not many of these.
Less capable adversaries probably know only a fraction of the
metadata flying around. To these, when such a feature is in effect,
compromising a keyserver or its traffic would be a cost-effective way
to learn many communication relationships.

When you want your communication partners to use a new key
of yours, why wait until they notice or poll a server?
Why not tell them immediately? Seems like a client-side,
key ring management job to me. If a mail client or key store
notices an expired or superseded key, it might offer or at
least suggest to notify the relevant communication partners.

Rainer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU+kAUAAoJEI/iM7d3pEsvUTEP/ilY8FfzPF+xDBdBqFRT8U9Y
mETqUNHgMgbz9kCUbDUT/jGTgRM+aFw1uK5u0XCFAXkAt/tq8YVzStiarF0DRxJJ
FSaoZR3W4ROxp4PpLQCrBtWWFN0s6lQVJ+9dI/f6cunLJHUl4ReODQo3sN94pcPG
DJIw2X1kwoMYv2hadX51WN7W1u/9yyDQxLe9MsPADeWPpmlKZIWqs5m4KqyNym2B
W9gcNE50z/4y/BqnNcF23jXxsifw7ko7x3iATVaDIoZ54IgghikxSXH46oNt4KVf
BKvPEQajM+trAC4HQfX2eX1W96CufHZV+NgGx5mJdgXQAVxk/WFPsku2i8BnjfT8
FCietKBsgNzl4WqdItNu0ZqBRt7+5jt6wBbbMYlkkmcAWiGtlxaQGveTDZBQ1f7h
r0EzlVVYHh9yLgwyGeJ4slW9727Bx9RcbpWyw9cK6oqgnCDrpc5e4psovbmfFtXw
/bt9TVf0fbl2Q3zBiTRdqebRa6nB2dG4uAm5zjY6qSRrfWMWNEBT7RuNUDVIz6vn
09frYwaVJ0OpDB6al2fidfd9lP9n+i9kan4qTOM1cJFFOG0VU2kTt+3/ggRQkaJj
k1jt59t1xHdaNsJGWBFp3oBjUBRyIDxU1+Y7pMbhzICcRZLzox2zu72FJeUrL6Lz
Tkawo3PXC5L+9B6yKMEx
=5OaT
-----END PGP SIGNATURE-----



More information about the enigmail-users mailing list