hashed user IDs [was: Re: Security of the gpg private keyring?]

Ben McGinnes ben at adversary.org
Mon Mar 14 02:06:26 CET 2011


On 14/03/11 11:44 AM, MFPA wrote:
> On Sunday 13 March 2011 at 5:02:52 PM, in
> <mid:4D7CF8BC.3060509 at adversary.org>, Ben McGinnes wrote:
> 
>> I'd hardly call it "flashing lights" just to be listed on the
>> keyserver, especially when the same data source also contains a
>> large amount of effectively useless data in which any key on the
>> servers is buried amongst.
> 
> Ok, you know what I mean. When you have found the key, all user IDs
> are readable and the information is clearly visible. Compared to a
> key showing only hashes in the user IDs, this is like having the
> information up in lights for all to see. (-:

I can't speak for everyone else, but I've always taken the term of
saying something is in "flashing lights" to mean that something is
drawing attention to that thing.  The existence of a UID being in a
human readable format on a keyserver doesn't really fit that category.

>> Speaking of which, I presume key ID 0x992F6351 is one of your
>> tests?
> 
> Without looking at it I couldn't comment; I have a handful out there.
> (-;

Well, the name kind of gives it away:

N.O. Hashing <EB089BE1992F6351_uploaded_20100303.mfpa at dfgh.net>
  2048 bit RSA key 992F6351, created: 2010-03-03

> Last I heard, dfgh.net was one of the domains whose owner allows its
> use as an alternative to spamgourmet.com. If it has changed hands, the
> new owner could be in for a shock...

The whois data says it's been registered for a few years, so it
probably hasn't changed hands.

Anyway, out of curiosity, did you ever receive spam by that address
and prove it had been harvested from the keyservers?  I still think
harvesting addresses from the keyservers is too much effort for
spammers, who mostly generate the target addresses, but it would be
nice to finally answer that question.


Regards,
Ben



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110314/464e6241/attachment.pgp>


More information about the Gnupg-users mailing list