PGP reveals the key ID of the recipient of encrypted msg
I began testing PGP a few days ago ( I'm a PGP newbie ) and I found that it gives out the key ID of an encrypted message . From this you can get the identification of the recipient of the message , if it's someone who has publicaly distributed his key (keyserver , homepage ...) . So even if you are unable to decode the message you can find who is the recipient of a given message . I think this is a big privacy problem . The problem is carried along when you encrypt a message for multiple recipients , you get the key IDs of all the recipients and same problem as above . I think something like 'blind email copy' should be used , because the recipients don't have to know the identity of each other . Comments from long time PGPer will be welcome
savron@world-net.sct.fr wrote: | The problem is carried along when you encrypt a message for multiple | recipients , you get the key IDs of all the recipients and same | problem as above . I think something like 'blind email copy' should | be used , because the recipients don't have to know the identity of | each other . | | Comments from long time PGPer will be welcome If someone is concerned about this, they can create a new anonymous key, and use that for their correspondance. They can sign & encrypt it to the correspondants they want to use that key. Keys are cheap. Everyone should have a bunch. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
-----BEGIN PGP SIGNED MESSAGE----- On Mon, 11 Mar 1996 savron@world-net.sct.fr wrote:
I began testing PGP a few days ago ( I'm a PGP newbie ) and I found that it gives out the key ID of an encrypted message . From this you can get the identification of the recipient of the message , if it's someone who has publicaly distributed his key (keyserver , homepage ...) . So even if you are unable to decode the message you can find who is the recipient of a given message . I think this is a big privacy problem .
The recipient of the message is right in the "To:" header of the message. If you anonymously remail a message, however, only the last remailer in the chain will know to whom the message is encrypted, but the last remailer can also just read the "To:" header. I don't find this to be a problem at all.
The problem is carried along when you encrypt a message for multiple recipients , you get the key IDs of all the recipients and same problem as above . I think something like 'blind email copy' should be used , because the recipients don't have to know the identity of each other .
You could just encrypt a message to different key ID's seperately, rather than in one pass of PGP. The would have the effect of Bcc. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm@voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUSTJrZc+sv5siulAQHN/QP/ck5/e0+o6HFte49ht2ivN4R/xdL0r5WS aqWSHq2CO3zxnY1ko76TQ34mA+v6oPGJ8TsfgACsRWzEOOs/8lSwZM93YOIsmrLU obLgqu9Vgt0jS8l5AEgr82ma7yHzu03LV77jXIuOn+1Amh2uXJtVs66AO5LHbJxn aBtSPgfCCDY= =vp/g -----END PGP SIGNATURE-----
participants (3)
-
Adam Shostack -
Mark M. -
savron@world-net.sct.fr