Security of the gpg private keyring?

MFPA expires2011 at ymail.com
Tue Mar 1 01:57:20 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Monday 28 February 2011 at 11:38:31 PM, in
<mid:D8186941-6E29-4358-9F0F-4A9C900CDA8B at jabberwocky.com>, David Shaw
wrote:

> I think the problem here is the large size of the
> deployed infrastructure that expects user IDs to have
> email addresses in them

Apart from email clients, what infrastructure expects email addresses
in UIDs?



> To make
> this change, you'd have to have a keyserver that could
> search in that manner,

Any keyserver could handle searching for both the plain text and the
hash: the client could query for one string, then for the other, then
combine the results.



> plus client support to make the
> hashes when talking to the keyserver, etc.

Hashes would need to be generated when selecting keys on the local
keyring too, not just when talking to keyservers.



> You'd have
> to handle the very-small-but-non-zero chance of a hash
> collision in the user ID, too.

A plaintext "collision" where two people have the same name in their
UID is nothing to write home about. Why would it be an issue if the
colliding string happened to be a hash?




- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

Wise men learn many things from their enemies.
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJNbER+nhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pIHMD/j0r
/OnnXV4zB1Ig9KBi+ZsTLlEPXR6Jmfdnvryjjh+AjWMvYvXJr16+IMaURirH4AYu
3sL4s+td2mfkwnoAMQxswM/3OcMgKPHWrdbWTYQ6sMFoHyUFXZ7zE+LtytHwyknc
7eNVWsGvLUE3GDZrUbMXR2yy+63fe3KOFCQCcWuG
=fxJu
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list