hashed user IDs [was: Re: Security of the gpg private keyring?]
expires2011 at ymail.com
Thu Mar 3 01:21:11 CET 2011
-----BEGIN PGP SIGNED MESSAGE-----
On Wednesday 2 March 2011 at 8:14:08 PM, in
<mid:4D6EA510.7080408 at fifthhorseman.net>, Daniel Kahn Gillmor wrote:
> it sounds to me like you've simply made it difficult
> for people to correspond with you over long periods of
> time because your e-mail address isn't likely to
> continue working.
Not especially so. The ones I use for mailing lists etc. change
periodically. This makes no difference to people contacting me, since
they should be doing it via the list. Ones I use with specific
individuals or groups of people, some are quite fleeting while others
persist for years.
> If your only concern is that you don't want your e-mail
> address publicly visible on the keyservers, just make a
> User ID with no e-mail address at all, and leave it at
> You'd still need to do the work of changing, say, MUAs
> to re-think their key-selection criteria to include
> keys without e-mail addresses
Something that would not be necessary if the underlying openPGP
implementations could handle hashed user IDs.
> But you wouldn't have to do any of the following:
> * specify and try to reach consensus on the syntax of
> a "standard" Hashed User ID
Isn't that best handled *after* a proof-of-concept?
> * modify underlying OpenPGP implementations to try
> digested searches
Could these be handled by a local proxy? The openPGP implementation
(which is configured to use the local proxy as keyserver, and not to
check the local keyring) queries the proxy using the plaintext search
string. The proxy checks the local keyring for both the plaintext
search string and the hash, and returns the combined results to the
openPGP implementation. The proxy (simultaneously?) queries a
keyserver for both the plaintext search string and the hash. If there
were matches in the local keyring, the keyserver results are discarded
(or cached?). If there were no matches in the local keyring, the
combined results from the keyserver are returned to the openPGP
implementation and keys may be imported as normal.
> * convince third-parties that it is worth their while
> to certify digested user IDs
That is not necessarily harder than convincing them to sign user IDs
wit no email address.
MFPA mailto:expires2011 at ymail.com
Zorba the Greek - before he zorbas you
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users