explain nrsign & lsign?

Robert J. Hansen rjh at sixdemonbag.org
Mon Jan 29 07:18:18 CET 2007

Hash: SHA256

> The thing is degree. Yes, keys are likely harvested. But I will  
> suggest you'll
> get /much more/ SPAM from sending a message to this list than you  
> will from
> publishing an email address on a key and sending it to a keyserver.

While I agree that in general keyserver harvesting is not a huge  
problem for the community, we should be wary about thinking it will  
not become a huge problem for the community.  Prudence suggests we  
consider both alternatives.

> Those volumes represent about one or two days worth on a couple  
> other accounts.

This may only mean that there's only one spam syndicate who's  
harvesting keyservers, whereas the countless numbers of other  
spammers haven't caught on yet.  This could just as easily mean that  
other spammers have considered the option and decided it's a bad idea  
for whatever reason, and only one syndicate isn't getting the memo.   
Hard to say.

> So, yes - harvesting occurs. But its impact is being portrayed way  
> out of
> proportion to its actual effect. I'd have to conclude that the  
> benefits of
> having good addresses searchable on the keyservers far outweighs  
> the negligible
> volume of SPAM that can be traced to actual harvesting.

The following is anecdotal experience, so it should be taken with a  
grain of salt.  Still, it's worth considering.

I spent some time without an email address listed on my key to test  
out for myself whether it would present a usability issue.  Turns out  
it didn't; putting OpenPGP kluges in my email headers told my  
recipients my key ID, which made it possible for them to grab my key  
despite there being no email address associated with it.

Ultimately, I decided that since I was already drowning in spam on  
all of my accounts anyway, the added trouble was insignificant, even  
if the added benefit was insignificant.  I put an email address on my  
key and decided I wasn't going to worry about it any more, since I  
didn't see it mattered too much either way.

Version: GnuPG v1.4.6 (Darwin)


More information about the Gnupg-users mailing list