hashed user IDs [was: Re: Security of the gpg private keyring?]
expires2011 at ymail.com
Mon Mar 14 01:44:13 CET 2011
-----BEGIN PGP SIGNED MESSAGE-----
On Sunday 13 March 2011 at 5:02:52 PM, in
<mid:4D7CF8BC.3060509 at adversary.org>, Ben McGinnes wrote:
> Ah, I'm still using the 1.4.x branch, so I haven't seen
> any of that.
Nor have I; it is just my understanding from descriptions and answers
to questions that I have read.
> I'd hardly call it "flashing lights" just to be listed
> on the keyserver, especially when the same data source
> also contains a large amount of effectively useless
> data in which any key on the servers is buried amongst.
Ok, you know what I mean. When you have found the key, all user IDs
are readable and the information is clearly visible. Compared to a key
showing only hashes in the user IDs, this is like having the
information up in lights for all to see. (-:
> Speaking of which, I presume key ID 0x992F6351 is one
> of your tests?
Without looking at it I couldn't comment; I have a handful out there.
> If so, you probably should've used
> example.net as the domain name.
Depends. What was being tested may have required a working email
> It's possible that the
> registrant of dfgh.net in Turkey might object to this
> reference to his domain.
Last I heard, dfgh.net was one of the domains whose owner allows its
use as an alternative to spamgourmet.com. If it has changed hands, the
new owner could be in for a shock...
>> Yes, different people you communicate with using
>> different names/email addresses could share
>> information. If this were uploaded to a database that
>> became widely used instead of keyservers it would
>> circumvent the whole idea...
> As, indeed, would traffic analysis.
And neither of these are within the scope of the limited protection
intended by this scheme.
MFPA mailto:expires2011 at ymail.com
Wisdom is a companion to age; yet age may travel alone.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users