Newbie: Choosing a user ID questions
linux at codehelp.co.uk
Sun Feb 1 00:25:49 CET 2004
On Saturday 31 Jan 2004 10:05 pm, Peter Valdemar Mørch wrote:
> A couple of newbie questions regarding chosing a user ID:
> 1) Avoiding spam _and_ including the email address in user ID
Generally there are far easier ways of harvesting email addresses than
trawling through keyservers - the list of UID's may be clearly visible when
you inspect a key via a keyserver www interface but using it to collect
millions of addresses just doesn't seem practical when there is no list of
all known key ID's. If spammers can't get a few million addresses, there
wouldn't seem much point. (There are also quite a few dead keys on keyservers
- people sometimes just stop using them or usually just forget the passphrase
without generating a revocation certificate beforehand.)
> I get too much spam, so I'd like to use a userID such as:
Use a spam filter instead?
(Have you considered that this list is publicly archived - your email address
is scrambled in a similar way by mailman but it is still retrievable. It all
depends on the amount of effort required.)
> Peter Valdemar Mørch <peterRemoveThis at domain.no.spam.com>
This kind of thing is quite common on Usenet - that hasn't stopped usenet
being a source of data for spammers.
> But obviously that is not my correct email address. Is this "A Good
> Thing"? Should I rather omit email address altogether? (Especially if I
> later will ask others to sign it?)
Many of the more frequent signers use scripts to make verification easier and
most are hand-crafted. It wouldn't help if your UID email address needs
> The email address is optional when generating a key pair, but almost all
> the entries on e.g. the MIT PGP Public Key Server have email addresses.
> Can I safely omit it? Are there any consequences of that? Don't the
Personally, I'd say the email address is expected if the key is going to
become public. You can do what you like with a key only used locally but if
you want others to sign it and trust it, I'd expect at least some people to
be upset at such constructs.
When you ask someone to sign your key, you are asking them to verify the UID
and the person. If the UID cannot be verified because it lacks a valid email
address, I can see some people simply not signing the key. I probably
wouldn't. After all, I would usually sign someone's key to enable encrypted
communication via email - it adds another hurdle to have to verify an address
that is not contained in the UID. Some email clients use the To: email
address to find the best key to use for the encryption.
> spam email address harvesters come to key servers for some reason?
Others will know for definite but I suspect it's just too much like hard work.
> 2) Why is the user ID "hidden"/embedded with --export --armor?
> How to extract the user ID from such an armored key without changing
> my keyring?
View it in a keyserver?
> I'm just wondering why the ASCII armored output from --export --armor
> doesn't contain the userID in clear text, so it is human readable.
The export block itself isn't usually of human interest. Under what
circumstances would you want to read it? If you've got the block, it's
usually from a keyserver or website that would declare the full key details,
including fingerprint, if requested.
> I did get this to work:
> $ gpg --no-default-keyring --keyring ./bogus --import a_foreign_key
> $ gpg --no-default-keyring --keyring ./bogus --list-keys
> $ rm bogus bogus~
> will show the userID, but isn't there an easier way?
If you want to store exported keys in text files (for some unknown reason),
just use the name of the text file to identify the key(s) inside. (I do this
sometimes for users whose keys keep getting mangled by keyservers.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Url : /pipermail/attachments/20040201/5884390d/attachment.bin
More information about the Gnupg-users