hashed user IDs [was: Re: Security of the gpg private keyring?]

Ben McGinnes ben at adversary.org
Sun Mar 13 18:02:52 CET 2011


On 14/03/11 1:12 AM, MFPA wrote:
> On Sunday 13 March 2011 at 7:58:36 AM, in
> <mid:4D7C792C.2000206 at adversary.org>, Ben McGinnes wrote:
> 
>> So, my question, how would you enable a user to display those keys
>> with known names or identities without searching for a specific key
>> belonging to a particular person?
> 
> My understanding is that the new keybox format for storing keys will
> allow storing of metadata such as when the key was last
> refreshed/updated/matched a search, usage statistics, and local
> notes which might include the known names and/or email addresses.

Ah, I'm still using the 1.4.x branch, so I haven't seen any of that.
Maybe when 2.1 actually reaches the next stable release (2.2) I'll
have to have another look.

> There is a balance to be achieved. A user taking advantage of the
> new feature have to accept the key would be less efficiently
> searched and located than one which announced all their details in
> flashing lights;

I'd hardly call it "flashing lights" just to be listed on the
keyserver, especially when the same data source also contains a large
amount of effectively useless data in which any key on the servers is
buried amongst.

Speaking of which, I presume key ID 0x992F6351 is one of your tests?
If so, you probably should've used example.net as the domain name.
It's possible that the registrant of dfgh.net in Turkey might object
to this reference to his domain.

> Yes, different people you communicate with using different names/email
> addresses could share information. If this were uploaded to a database
> that became widely used instead of keyservers it would circumvent the
> whole idea...

As, indeed, would traffic analysis.


Regards,
Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110314/5608dbc4/attachment.pgp>


More information about the Gnupg-users mailing list