hashed user IDs [was: Re: Security of the gpg private keyring?]

MFPA expires2011 at ymail.com
Sun Mar 13 15:12:19 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Sunday 13 March 2011 at 7:58:36 AM, in
<mid:4D7C792C.2000206 at adversary.org>, Ben McGinnes wrote:


> So, my question, how would you enable a user to display
> those keys with known names or identities without
> searching for a specific key belonging to a particular
> person?

My understanding is that the new keybox format for storing keys will
allow storing of metadata such as when the key was last
refreshed/updated/matched a search, usage statistics, and local notes
which might include the known names and/or email addresses.



> It could be done with a local db or address book which
> maps previous key searches to the hashes and keys they
> match, but this seems to be an additional level of
> complexity just to achieve a current feature

Don't forget the additional feature of being able to publish a key
that, by direct examination, will not reveal your name(s) and/or email
address(es) but can still be located by a user who already has that
information about you.

There is a balance to be achieved. A user taking advantage of the new
feature have to accept the key would be less efficiently searched and
located than one which announced all their details in flashing lights;
a user encountering that key can at least locate it from the name or
email address, unlike if the key owner had used spurious or no
information in the UIDs.



>  and could
> also be used to circumvent the entire idea if performed
> on a large enough scale.

Yes, different people you communicate with using different names/email
addresses could share information. If this were uploaded to a database
that became widely used instead of keyservers it would circumvent the
whole idea...


- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

My mind works like lightning... one brilliant flash and it's gone
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJNfNDLnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pUosD/19j
MG6l6l1aaS9Ou/g8alGi3zwLUZbnpqcp5PDhUGn2F4CW5JB06TK29FDxrh+Ij/9B
39rOb4nd3d84/cIa/SMcyvgOqJB9GAjORCIE/JuQbp8+JplkGQQ+y5/8GZ60jWqq
AVh22ZiJzIjh9jV2MEIU3jiSJMR1dii74TmCHVqf
=x//r
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list