Quote from: Geezy_Weezy on March 24, 2013, 03:44 pm@pinei can not locate my gpg.conf location.., could you please help me. im using Mac OS XSorry for delay, overlooked your message. It should be under "~/.gnupg/gpg.conf". This is an address, you need it (without quotations) to find the file but since you're using OSX, you'll need extra steps to find the address bar. http://superuser.com/questions/174297/how-can-i-get-an-address-bar-in-finderRead that, find one of their solutions and then copy paste that line into your address bar and it should take you to the folder in which the gpg.conf file is located in.If you choose to navigate to the file through the GUI manually, then you'll need to turn on the Show Hidden Files option in Mac, wherever that is. The ~ character is whatever your home directory is e.g. if your account is called "geezy" then the "geezy" directory is the home directory.Macs are perfectly easy to use until you want to do something Steve Jobs himself didn't think of personally.Quote from: astor on March 25, 2013, 02:27 amAnonymizing the key IDs doesn't offer extra protection in some cases. For example, if you send a message to a vendor, or an email to someone on TorMail, anyone with access to the SR or TorMail servers knows who the recipient is, so there's no reason to hide the key IDs from them.Yes, it very much depends on your use of this feature.To newbs: If I wrote down an encrypted message using throw-key-ids, put it into a letter and posted it to a friend with his address on the front of the envelope and mine on the back of it, then using throw-key-ids to prevent traffic analysis would be somewhat pointless. However, if I wrote a message using a one time account on SR, then you would successfully be able to communicate without revealing your (SR) identity to traffic analysis if LE hack the server. You'd use a new account per instance of a two way chat communication. Although this sounds like work, it's probably worth the trouble for very important communications. That way only the compromise of the recipient can possibly leak information about the sender. You'd have to mix up what algorithms and key lengths you were using as well for each new public key, since throw-key-ids doesn't get rid of that information (persistently using the same settings for each key would be a giveaway).The reason why I mention server hacking is important: nobody should assume that their messages will be 'hidden' unless they are encrypted. If you were ordering a large amount from a vendor, you almost certainly should be using such methods as these. If a vendor doesn't 'get' it, find one that does.Encryption can do more than merely hide your messages, if used properly it can also make it impossible to associate any identity with transmission importance within the network. That is the death knell for LE teams, there is then no earthly way to prioritize their pattern analysis algorithms beyond wild guesswork. They spend a great deal of time building a "Who's Who" of Darknet participants and they'll be infuriated if lots of people start adopting practices which remove PGP key ID information out of existence.Another good use of this feature is when using anonymous remailers (for the final message the sender receives). This is a network of email servers that serves to send anonymous email, a sort of pre-Tor anonymity project for email. Quote from: quinone on March 25, 2013, 06:19 amI thought I was a weirdo hyper paranoid hypocrit because i've always kept my ONE AND ONLY key in one place and would alway's use another instance of GPG with my keychain (I keep it small, moreso actually to remember the really good vendor's i've worked with). But you just put my mind at ease, now i'm just a weirdo hyper paranoid ... human being, no more hypocrisy !It's good to pay attention to your instincts, they are there for a reason.Quote from: NW Nugz on March 25, 2013, 07:10 pmSeems to me we need to have privacy-enabled version of software we can get that is already set up with the changes suggested in the OPs as defaults rather than options. Or, a handy user interface with buttons to push to implement these changes. Maybe sell the software on SR ? :-)I think so too. Although selling the software would be impossible. APG (anonPG) or something. It could have a list of requirements like:1. The inability to communicate with keyservers. Or route all such traffic via Tor with explanatory warnings.2. Puts public keys you haven't used into a password protected encrypted volume after 30 days of non-use.3. Transparent way to encrypt anonymously for you, and another option for your recipient4. No meta data within the PGP headers.5. 8912 bit available as standard.6. Open source for code inspection. (hence the difficulty of selling it)7. Steganography options for embedding message into audio, video, images etc.8. Ability to setup anonymous remailers with ease.9. Self destruct feature.I'm sure you guys can think of lots of other things. Simply making it obvious what is what would lift a huge burden on the amount you have to know before you're doing what you want to be doing. Some of it sounds like heavy lifting like the steg and remailers, but actually most of this already exists in the form of open source projects, it's mostly a matter of building a clever GUI to let people access the power of such tools. I don't have the time for it, but it'd make a great project for somebody.