[hashtagmarkup]

> The threat is not limited to politicians. Anyone (including you and your family members) could be blackmailed or otherwise publicly embarrassed.

... for what they actually did.

You think the solution is allowing people to be blackmailed or otherwise publicly embarrassed for things they didn't do, while removing their ability to verify that they didn't do them?

[daveFNbuck]

You're assuming no one has compromised the old keys. If that has happened, a blackmailer can forge old emails with proof of things you didn't do.

[mschuster91]

> ... for what they actually did.

Being gay is not a crime, and yet people can be blackmailed with it. It is very easy to open yourself up to blackmail by perfectly legitimate activities.

[ivanhoe]

True, there are things that might ruin someone's life even though there's nothing bad about them, but the list of actual crimes and bad things that people do is WAY longer, and being able to prove it is definitely useful...

[avianlyric]

The same argument can be used to build a police state. But I suspect that you’re not in favour that either.

We shouldn’t be building technical systems that “trap” people, just because they might be doing something bad and might want to prove that one day.

Additionally you’re also ignoring the whole “people have the right, to not have their emails stolen” argument. DKIM signatures are only useful if the emails are stolen, are you trying to suggest that it’s ok to steal emails from people if they’re bad?

[ivanhoe]

> Additionally you’re also ignoring the whole “people have the right, to not have their emails stolen” argument

No, just the opposite, that is an excellent argument and I think that the privacy should be the real focus when we discuss the freedom, and not the accountability. Because freedom is not to be able to get away for the lack of evidence, freedom is not to put innocent people in that kind of situation in the first place.

Police state doesn't come from the ability to track citizens, it comes from the lack of transparency and government's misuse of the information. Now, reality is that having more data collecting increases the chances of misuse, but I think we're attacking the problem from the wrong side. Rather than killing the option to track emails, there should be much more control and transparency on when and how that data can be collected and used.

[hashtagmarkup]

> Being gay is not a crime, and yet people can be blackmailed with it. It is very easy to open yourself up to blackmail by perfectly legitimate activities.

Option 1: DKIM keys stay private... "That email was just a joke, I'm not really gay" Option 2: DKIM keys go public... "That email was just someone else's joke, I'm not really gay"

Not really a difference, and with option 2 you can't prove you didn't send it (as far as you can prove someone didn't crack 2048 bit RSA and use that power to concern themselves with your sex life).

Being able to prove a fascist dictator who was killing people for being gay, was secretly engaging in gay acts themselves, might help your cause of protecting gay people.

[morelisp]

> Being able to prove a fascist dictator who was killing people for being gay, was secretly engaging in gay acts themselves, might help your cause of protecting gay people.

How?

[hashtagmarkup]

Because the DKIM keys were not made public, and a message sent from their account could be confirmed to be authentic.

If the keys were public, they could claim forgery. Regardless they could claim their account was hacked, but they couldn't deny the message was sent from their account.

[morelisp]

I'm not asking how the technical mechanism proves the messages may be legitimate. I'm asking how you could use that knowledge in the specific situation you outlined to accomplish anything productive.

[hashtagmarkup]

I'm not the person who said outting people as gay was productive. The other person claimed it could be destructive.

[bee_rider]

People change over time, and normal human communications have a natural sunset as most people don't remember every conversation in exacting detail. It is worth at least considering the fact that we've signed up to have basically all our communications preserved and cryptographically signed in perpetuity. Most people using these services didn't fully weigh the options.

[blendergeek]

No. Once DKIM keys are published, one can simply deny all emails published "from their account". We currently have a way for an attacker to prove an email's origin years after the fact.

[hashtagmarkup]

Yes. We are saying the same thing.

[mthoms]

You're misunderstanding how this works.

You can't be blackmailed by someone who has no plausible evidence.

[drdaeman]

I'm afraid there's also a misunderstanding how the real world works. Cryptographic and real-world plausibility are two entirely different things.

People get blackmailed, shamed, hurt and even killed over mere rumors, speculations and suspicions. As long as people believe in something (because something merely look plausible), there's no need for a fancy crypto to prove some machine sent some email. I'd dare to say most people don't even understand what cryptography is and what digital signatures really are (who signs what and what exactly this means).

I'm yet to hear a story of, let's say, a brave dissident who got out of jail because of cryptographic plausible deniability property making their oppressors unable to prove authenticity of some leaked or intercepted correspondence.

[mthoms]

Read up on the Hunter Biden emails. After a DKIM signature was verified, the perception of a large number of people (including right here on HN) went from "this cache of email is probably total fiction" to "they likely do have access to at least some of his emails".

[beagle3]

They don’t have plausible evidence anyway. Gmail has had bugs before with SPF/DKIM and will have some again for sure.

Some google employees have direct and indirect access to signing keys or writing emails. Not many, and they have good controls, but still many people with the ability to sign messages.

Not to mention a Trojan infiltration or account takeover, of which thousands (if not millions) a day occur.

The DKIM evidence is, for legal purposes, a good hint but far from proof.

[mthoms]

In the court of public opinion, the standard is not "100% proven beyond any reasonable doubt". Hence, blackmail can still be very effective if an accusation is highly plausible.

[beagle3]

Yes, but it’s not DKIM or not DKIM that will make it plausible in the court of public opinion.

[mthoms]

Current events prove otherwise. See Hunter Biden.

[beagle3]

I have not seen a single mention of DKIM w.r.t to Hunter Biden. Did you? Was any evidence presented? I couldn’t find any.

I fail to see how admissibility or lack of it, in a court of law or of public opinion, has anything to do with DKIM+Hunter Biden. Can you elaborate?

[hashtagmarkup]

You're misunderstanding how destruction of evidence works.

[mthoms]

Huh? No one (including yourself), have mentioned anything about "destruction of evidence" so far. If you care to enlighten me about how it's relevant I'm happy to listen.

[hashtagmarkup]

By making the DKIM keys public, you are converting solid evidence of something that was said into something that was either really said, or someone else pretended that they said.

Evidence was destroyed.

[Natanael_L]

No, destruction of evidence involves things like making something impossible to analyze and evaluate. Publication of a key doesn't erase the original messages and does not make it impossible to look into their contents to try to establish authencity by external means. Causing ambiguity is not destruction of evidence.

[hashtagmarkup]

What do you call it when someone pees into someone else's pee sample?

[mthoms]

This describes all encrypted and short lived messages.

Edit: Removed the word "literally" because it was incorrect and caused distraction from the actual argument.

[hashtagmarkup]

It doesn't at all. You're misunderstanding. Or, are you using the word "literally" in the modern sense of "not literally"?

[cortesoft]

> for what they actually did

All blackmail involves things a person actually did... otherwise it would be libel or slander.

You seem to be arguing that blackmail shouldn't be illegal.