[tor-talk] Torbirdy and gpg --throw-keyids

Jacob Appelbaum jacob at appelbaum.net
Sun Jul 22 18:38:17 UTC 2012


Tim Wilde:
> On 7/18/2012 6:19 PM, Jacob Appelbaum wrote:
>> The gpg manpage says the following:
> 
>> Do not put the recipient key IDs into encrypted  messages.  This 
>> helps  to  hide  the  receivers  of the message and is a limited 
>> countermeasure against traffic analysis. ([Using a little social 
>> engineering  anyone who is able to decrypt the message can check 
>> whether one of the other recipients is the  one  he  suspects.]) On
>> the  receiving side, it may slow down the decryption process 
>> because all available secret keys must  be  tried.   --no-throw- 
>> keyids disables this option. This option is essentially the same as
>> using --hidden-recipient for all recipients.
> 
>> So lets say that I use gpg to encrypt the message to you, to me,
>> and to an additional key. I would reveal my own gpg key (which you
>> may not know, which may not be public), your key (which may be used
>> to ask you to disclose a specific key), and finally - it reveals
>> the third party which is not otherwise involved in the email
>> message headers at all.
> 
>> I'd prefer that this isn't revealed at all and lucky for us, gpg
>> allows us to hide that information.
> 
> Jake,
> 
> Maybe I'm being dense, but under what circumstances does it make sense
> for a GPG public key to be ... not public?  I genuinely would like to
> better understand your position.  My specific questions on your example:
> 
> * If you want to hide your key from me, how do you expect me to reply
> to the communication while maintaining the confidentiality?  I don't
> understand a use case in which this would make sense.  Hiding it from
> the public is one thing, but hiding it from the recipient?
> 

I regularly encrypt a key that isn't public because I want to keep a
copy of the email accessibly to that key.

> * What do you mean by "may be used to ask you to disclose a specific
> key", exactly?  The only thing doing the "asking" is my trusted local
> GPG instance, and in the case of --throw-keyids, it will actually be
> asking me /more/ questions and causing significantly more risk of
> information disclosure in the case of system compromise (but if my
> system is already compromised, I've already lost, so I still don't
> understand the threat profile here either).

The RIP Act in the UK, specifically I think, Section Three. That's the
current British tyranny where they may request your specific encryption
key and if you cannot produce it, they jail you.

> 
> * I won't argue about the third party, but that's already handled
> automatically by Enigmail when you BCC, which is typically the only
> way that third party key would get in the mix in a standard Enigmail
> use case scenario.
> 

I think the subtle difference here will be lost on most users. I admit,
I didn't know about this feature until you mentioned it.

> Additional to all of this, the GPG key itself is never being disclosed
> here, just its key ID.  It's still giving a unique identifier from
> which you can build a social graph, I'll grant you, but again, I'd
> argue that it's a real stretch to say this information is anything
> more than is already disclosed in the required SMTP headers.
> 
> Please, educate me!

I think this is less a matter of education and more a concern about
leaking information without user's consenting. It's such a subtle issue,
I feel like a lot of information that is cryptographically assured or
asserted - well, it leaks out.

All the best,
Jake


More information about the tor-talk mailing list