Security of the gpg private keyring?

David Tomaschik david at systemoverlord.com
Tue Mar 1 01:09:12 CET 2011


On 02/28/2011 05:40 PM, MFPA wrote:
> Hi
> 
> 
> On Monday 28 February 2011 at 3:47:16 PM, in
> <mid:AANLkTi=ar9kOE_AFvwKiajB4t+6mqqYwc20e+kenLhne at mail.gmail.com>,
> Guy Halford-Thompson wrote:
> 
> 
>> Thanks for the help, didnt really occur to me how much
>> info is available in the public keyring, guess you cant
>> do much about it tho.
> 
> 
> I think key UIDs generally reveal more information than I am
> comfortable with. For example, why does your UID need to contain your
> email address in plain text rather than as a hash? Searching for that
> email address would need to return any keys that matched on the hashed
> version in addition to any keys that matched on the plaintext version.
> Somebody knowing the email address (or name or hostname) could find
> the key but mere inspection of the key UIDs would not reveal all its
> owner's names, email addresses, etc.
> 
> I'm usually told such an option does not exist because it would serve
> no purpose and/or there would be no demand for it.
> 
> 

While I understand your concerns, I think it would just be nice if the
owner of a key could set a flag on it indicating that they did not want
their key published to keyservers.  Then privacy could be preserved with
MUCH smaller changes to infrastructure.  (Though, admittedly, it might
require a change in the OpenPGP spec, which would actually be much larger.)

David



More information about the Gnupg-users mailing list