hashed user IDs [was: Re: Security of the gpg private keyring?]

Robert J. Hansen rjh at sixdemonbag.org
Wed Mar 2 21:27:50 CET 2011

On 3/2/11 2:25 PM, MFPA wrote:
> Once, maybe. But for quite a few years (in the UK at least) there have
> been many competing directory enquiries services, and more recently
> the online versions as well. Choosing to be ex-directory is a
> binding instruction to your telephone company not to release your
> number to any such services.

The analogy continues to break down.  "Binding," in the context of the
analogy, means "if someone breaks this instruction, they will be hurt."
 Maybe the government will start a criminal prosecution, maybe you have
recourse in a civil lawsuit, but ... ultimately, "if someone breaks this
instruction, they will be hurt."

Okay, fine: who are you electing to be the hurt-inflicter for the
OpenPGP community?  And in the absence of a designated hurt-inflicter,
how can there be a "binding instruction"?

The analogy you're drawing is appealing at first glance, but the more I
look at it the more it breaks down.

> It is also much easier to create new email addresses than it is to
> change phone numbers.

I would *far* rather change my phone number than change my email
address.  Probably a total of 50 people have my phone number: if I
change it, big deal.  If I change my email address, I'd probably need to
inform upwards of a thousand people of the change.

It may be true that *for you* it is easier to create new email addresses
than to change phone numbers.  It does not hold true for everyone, and
just how broadly it holds true is unknown.

More information about the Gnupg-users mailing list