hashed user IDs [was: Re: Security of the gpg private keyring?]

MFPA expires2011 at ymail.com
Sat Mar 12 21:10:00 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Wednesday 9 March 2011 at 1:39:35 PM, in
<mid:4D778317.3020102 at sixdemonbag.org>, Robert J. Hansen wrote:


> 3.  Deploying this scheme means:

>         (a) people can no longer do fuzzy searches for
>         email     addresses ("show me all user IDs that
>         look like this     pattern")
>         (b) finding
>         people's certificates may be made more
>         difficult due to (a)

Certificates with only hashed user IDs would be harder to find than
those that contain the actual name and email address. But easier to
find than those that show spurious information or contain no email
address or name at all.



> 4.  My suspicion is the number of users covered by (2)
> is pretty small.  My suspicion is the number of users
> impacted by (3) is pretty large. My suspicion is we do
> not have a very good handle on just how difficult we
> need to make things, given the resources available to
> spammers in (1a).

After generating the list of possible email addresses, why would a
spammer generate the hashes and search for keys instead of simply
blasting out messages to the whole lot?

- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

Wisdom is a companion to age; yet age may travel alone.
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJNe9McnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pEYMD/3Q/
Qt8LnJvVjv4Bb88jeiMBFxETBKcfkeJsY5u+dICB9lS7JmKzGoR6gzTod/mZdTMV
9+NuLrlDXcOxQfRZTdd38z6YIf6nBgmRSvAxzG7DH/WCxGVoQkChNV13+pY/rf6c
BBFW2gf/DruOyWHh6jN3IV8YDjdM1p1+0NUAgu71
=3R5z
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list