hashed user IDs [was: Re: Security of the gpg private keyring?]

MFPA expires2011 at ymail.com
Mon Mar 14 01:44:13 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Sunday 13 March 2011 at 5:02:52 PM, in
<mid:4D7CF8BC.3060509 at adversary.org>, Ben McGinnes wrote:

> Ah, I'm still using the 1.4.x branch, so I haven't seen
> any of that.

Nor have I; it is just my understanding from descriptions and answers
to questions that I have read.



> I'd hardly call it "flashing lights" just to be listed
> on the keyserver, especially when the same data source
> also contains a large amount of effectively useless
> data in which any key on the servers is buried amongst.

Ok, you know what I mean. When you have found the key, all user IDs
are readable and the information is clearly visible. Compared to a key
showing only hashes in the user IDs, this is like having the
information up in lights for all to see. (-:



> Speaking of which, I presume key ID 0x992F6351 is one
> of your tests?

Without looking at it I couldn't comment; I have a handful out there.
(-;



> If so, you probably should've used
> example.net as the domain name.

Depends. What was being tested may have required a working email
address.



> It's possible that the
> registrant of dfgh.net in Turkey might object to this
> reference to his domain.

Last I heard, dfgh.net was one of the domains whose owner allows its
use as an alternative to spamgourmet.com. If it has changed hands, the
new owner could be in for a shock...



>> Yes, different people you communicate with using
>> different names/email addresses could share
>> information. If this were uploaded to a database that
>> became widely used instead of keyservers it would
>> circumvent the whole idea...

> As, indeed, would traffic analysis.

And neither of these are within the scope of the limited protection
intended by this scheme.


- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

Wisdom is a companion to age; yet age may travel alone.
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJNfWTknhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5p3yMD/1IJ
vAVZxk3WTNL9Hlzy3b5raJcvfW3dA1SxL8079IhoxWPh9Pu7RrmuE6hSzenwmY+2
BeNOAIFTfWwc5n5nUALFZtosgRI/y18VxtQVDSs4/S4QYwxzfrzUpJrlCwdeM5nQ
+Zx4PoqeTexjsxhX+YdjJahc1Y51JiW3JTwur/TK
=qb68
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list