explain nrsign & lsign?

Robert J. Hansen rjh at sixdemonbag.org
Mon Jan 29 07:18:18 CET 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The thing is degree. Yes, keys are likely harvested. But I will  
> suggest you'll
> get /much more/ SPAM from sending a message to this list than you  
> will from
> publishing an email address on a key and sending it to a keyserver.

While I agree that in general keyserver harvesting is not a huge  
problem for the community, we should be wary about thinking it will  
not become a huge problem for the community.  Prudence suggests we  
consider both alternatives.

> Those volumes represent about one or two days worth on a couple  
> other accounts.

This may only mean that there's only one spam syndicate who's  
harvesting keyservers, whereas the countless numbers of other  
spammers haven't caught on yet.  This could just as easily mean that  
other spammers have considered the option and decided it's a bad idea  
for whatever reason, and only one syndicate isn't getting the memo.   
Hard to say.

> So, yes - harvesting occurs. But its impact is being portrayed way  
> out of
> proportion to its actual effect. I'd have to conclude that the  
> benefits of
> having good addresses searchable on the keyservers far outweighs  
> the negligible
> volume of SPAM that can be traced to actual harvesting.

The following is anecdotal experience, so it should be taken with a  
grain of salt.  Still, it's worth considering.

I spent some time without an email address listed on my key to test  
out for myself whether it would present a usability issue.  Turns out  
it didn't; putting OpenPGP kluges in my email headers told my  
recipients my key ID, which made it possible for them to grab my key  
despite there being no email address associated with it.

Ultimately, I decided that since I was already drowning in spam on  
all of my accounts anyway, the added trouble was insignificant, even  
if the added benefit was insignificant.  I put an email address on my  
key and decided I wasn't going to worry about it any more, since I  
didn't see it mattered too much either way.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iQEcBAEBCAAGBQJFvZGqAAoJELcA9IL+r4EJ4wMH/jrMuFsrgDamP+D6LMWHe6iG
2okOO0sk2P2+61RQElCN93YB/Fy2EHquVvs2JbhU6/CuHFrvo7pyrx2WlFCIuNUt
L61kTheA09rSpJ2ipRPRKYAlbE2HaXaAXMzO+U65X0zmUSAm+5z8ALdOdLBqa+ey
58ZUciD/yZAejO4oFdALe+C74gkPQXCWFepB9mD+KBh74D1y0UpOnSAAPUicHsOz
ThkyZ2yeX1NzSMnXdAMmrlV651zEOC01IkL3f7AFCElZxM0Ha+gGtmijSWN4njBP
bwNzVm8AGjJ0POltcR8vPIr2DvPZs9KKPSZ2893CkZlxKFyY8YizPJnoKXq7s/o=
=AFUS
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list