hashed user IDs [was: Re: Security of the gpg private keyring?]

MFPA expires2011 at ymail.com
Sat Mar 12 23:25:53 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 12 March 2011 at 8:24:34 PM, in
<mid:4D7BD682.2020200 at sixdemonbag.org>, Robert J. Hansen wrote:


> On 3/12/2011 3:10 PM, MFPA wrote:
>> After generating the list of possible email addresses, why would a
>> spammer generate the hashes and search for keys instead of simply
>> blasting out messages to the whole lot?

> Beats me.  You're the one who's assuming someone wants
> to harvest email addresses.

A desire to not publish my email addresses (but still have somebody
who knows any of my addresses find my key on a server) does not equate
to an assumption that somebody wants to harvest email addresses from
servers. If such an assumption was stated it wasn't by me. (-:



> Imagining a spammer behind
> it is just part of a thought exercise.

Fair enough. It just seemed difficult to imagine what would be the
return on their effort.



> Focus on the
> real issue -- that this scheme you're proposing is not
> secure against an even mildly motivated attacker -- not
> who the prospective attacker is.

Fair enough, I underestimated quite how easy a brute force attack
could be. Longer email addresses at less-obvious domain names makes it
just that little bit harder but that is not really the point, IMHO.
Since anybody can add a certification to the key saying whatever they
choose, somebody else could make public one or more of the hashed
email addresses or identities. No major problem, just add a new one.

Is not about providing complete confidentiality, anonymity or
security. Instead of leaving a document open on the desk, this scheme
is more akin to putting it in the drawer or cupboard than it is to
putting it in the safe. Not secure but good enough in many
circumstances.

- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

You can't build a reputation on what you are going to do
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJNe/L5nhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pYCwD/3iq
j/lM7ACgiteMKjkncvhLTnrNv2yJg+ybKd1fqz+K9oTkT/UG/aoiNGLQZOmHDs1y
HtjfrqcdUQVael3uhj5zl1KrYpXWmDjTBFpQHEspxpqmXY2529WqOrvDqyHdvUMg
qFeWHDI8hbCXGi4+gY/md9JzOfymLo0LNcPBV8eB
=m7VY
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list