email hashes in PGP keys as protection against spam

John Clizbe John at Mozilla-Enigmail.org
Mon Oct 5 22:31:07 CEST 2009 

Robert J. Hansen wrote:
> Hauke Laging wrote:
>> My aim is to let people publish their keys without being afraid that *this* 
>> action leads to (more) spam. Have you considered that some people are not 
>> willing to use spam filters for certain addresses?
> 
> Sure, but this just goes to show you that people are awful at estimating
> risks.  Take flying as an example: driving to the airport is the most
> dangerous part of the trip, but people are more afraid of the plane
> crashing than them getting into a fatal car accident.  Likewise, anyone
> who keeps their keys off the keyservers because they're afraid of
> getting spam is fantastically missing the point.

They are also not so good at estimating the incidence of "Keyserver SPAM".
Yes, it happens. But when I tried to measure it, it was of a level statistically
indistinguishable from random noise.

> If this is really your aim, then I think this proposal needs to get shot
> down.  The protocol can either address real concerns or else it can make
> people feel better about things without actually doing anything at all.
>  The former is engineering; the latter is snake-oil.

I see this proposal breaking a lot of applications to "solve" a minute level of
SPAM. It's a security blanket that really doesn't address the problem, only a
perceived cause.

>> A second reason to do this is privacy. There is no reason to allow easy 
>> queries the email addresses somebody or an organization uses.
> 
> So run a private keyserver.  Bang, problem solved.

LDAP servers make a great keyserver for this sort of application

-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 679 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091005/079c08f4/attachment-0001.pgp>

More information about the Gnupg-devel mailing list