hashed user IDs [was: Re: Security of the gpg private keyring?]

MFPA expires2011 at ymail.com
Sat Mar 12 23:25:53 CET 2011

Hash: SHA512


On Saturday 12 March 2011 at 8:24:34 PM, in
<mid:4D7BD682.2020200 at sixdemonbag.org>, Robert J. Hansen wrote:

> On 3/12/2011 3:10 PM, MFPA wrote:
>> After generating the list of possible email addresses, why would a
>> spammer generate the hashes and search for keys instead of simply
>> blasting out messages to the whole lot?

> Beats me.  You're the one who's assuming someone wants
> to harvest email addresses.

A desire to not publish my email addresses (but still have somebody
who knows any of my addresses find my key on a server) does not equate
to an assumption that somebody wants to harvest email addresses from
servers. If such an assumption was stated it wasn't by me. (-:

> Imagining a spammer behind
> it is just part of a thought exercise.

Fair enough. It just seemed difficult to imagine what would be the
return on their effort.

> Focus on the
> real issue -- that this scheme you're proposing is not
> secure against an even mildly motivated attacker -- not
> who the prospective attacker is.

Fair enough, I underestimated quite how easy a brute force attack
could be. Longer email addresses at less-obvious domain names makes it
just that little bit harder but that is not really the point, IMHO.
Since anybody can add a certification to the key saying whatever they
choose, somebody else could make public one or more of the hashed
email addresses or identities. No major problem, just add a new one.

Is not about providing complete confidentiality, anonymity or
security. Instead of leaving a document open on the desk, this scheme
is more akin to putting it in the drawer or cupboard than it is to
putting it in the safe. Not secure but good enough in many

- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

You can't build a reputation on what you are going to do


More information about the Gnupg-users mailing list