Newbie: Choosing a user ID questions

Atom 'Smasher' atom-gpg at suspicious.org
Sat Jan 31 22:21:30 CET 2004 

On Sat, 31 Jan 2004, [ISO-8859-1] Peter Valdemar M=F8rch wrote:

> A couple of newbie questions regarding chosing a user ID:
>
> 1) Avoiding spam _and_ including the email address in user ID
>
> I get too much spam, so I'd like to use a userID such as:
>
> Peter Valdemar M=F8rch <peterRemoveThis at domain.no.spam.com>
>
> But obviously that is not my correct  email address. Is this "A Good
> Thing"? Should I rather omit email address altogether? (Especially if I
> later will ask others to sign it?)
>
> The email address is optional when generating a key pair, but almost all
> the entries on e.g. the MIT PGP Public Key Server have email addresses.
> Can I safely omit it? Are there any consequences of that? Don't the
> spam email address harvesters come to key servers for some reason?
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D

i would argue that it's not a good thing to leave the email address out of
a key (but it *is* a good question to ask).

here's one reason why <name-NOSPAM at address.com> won't work... pine (and
other MUAs?) determines which key to encode to using the email address.
so, if i send mail to <name at address.com> but the key is for
<name-NOSPAM at address.com> i'll get an error telling me that it can't find
a matching key.

basically, what the MUA wants to do is send the message through:
=09gpg --sign --encrypt --recipient name at address.com

so... if you run "gpg --list-keys your at email" and it can't find your key,
then you'd likely be causing problems for people.

based on my observations, i haven't received any spam where i suspect that
the address was harvested from a keyserver. that may or may not hold true
for any length of time into the future, but it's what i've seen so far. i
would like to see the keyservers put a little bit of pro-active defenses
in place against address harvesting: it's currently too easy for it to be
done either intentionally or accidentally, by someone linking to a page
that matches a *lot* of keys...

regardless of where your address is harvested from, there are some great
bayesian filters out there... i use (and personally recommend) spambayes.


> 2) Why is the user ID "hidden"/embedded with --export --armor?
>         and
>     How to extract the user ID from such an armored key without changing
>     my keyring?
>
> I'm just wondering why the ASCII armored output from --export --armor
> doesn't contain the userID in clear text, so it is human readable.
>
> I did get this to work:
> $ gpg --no-default-keyring --keyring ./bogus --import a_foreign_key
> $ gpg --no-default-keyring --keyring ./bogus --list-keys
> $ rm bogus bogus~
> will show the userID, but isn't there an easier way?
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D

the easy way:
=09gpg --export [-a] some-key-ID | pgpdump | egrep 'User ID -'

the "-a" is optional, and of course you'll need to install 'pgpdump'.



        ...atom

 _______________________________________________
 PGP key - http://smasher.suspicious.org/pgp.txt
 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
 -------------------------------------------------

=09"In peace, sons bury their fathers.
=09 In war, fathers bury their sons."
=09=09-- Herodotus

More information about the Gnupg-users mailing list