hashed user IDs [was: Re: Security of the gpg private keyring?]

MFPA expires2011 at ymail.com
Mon Mar 14 01:44:13 CET 2011

Hash: SHA512


On Sunday 13 March 2011 at 5:02:52 PM, in
<mid:4D7CF8BC.3060509 at adversary.org>, Ben McGinnes wrote:

> Ah, I'm still using the 1.4.x branch, so I haven't seen
> any of that.

Nor have I; it is just my understanding from descriptions and answers
to questions that I have read.

> I'd hardly call it "flashing lights" just to be listed
> on the keyserver, especially when the same data source
> also contains a large amount of effectively useless
> data in which any key on the servers is buried amongst.

Ok, you know what I mean. When you have found the key, all user IDs
are readable and the information is clearly visible. Compared to a key
showing only hashes in the user IDs, this is like having the
information up in lights for all to see. (-:

> Speaking of which, I presume key ID 0x992F6351 is one
> of your tests?

Without looking at it I couldn't comment; I have a handful out there.

> If so, you probably should've used
> example.net as the domain name.

Depends. What was being tested may have required a working email

> It's possible that the
> registrant of dfgh.net in Turkey might object to this
> reference to his domain.

Last I heard, dfgh.net was one of the domains whose owner allows its
use as an alternative to spamgourmet.com. If it has changed hands, the
new owner could be in for a shock...

>> Yes, different people you communicate with using
>> different names/email addresses could share
>> information. If this were uploaded to a database that
>> became widely used instead of keyservers it would
>> circumvent the whole idea...

> As, indeed, would traffic analysis.

And neither of these are within the scope of the limited protection
intended by this scheme.

- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

Wisdom is a companion to age; yet age may travel alone.


More information about the Gnupg-users mailing list