hashed user IDs [was: Re: Security of the gpg private keyring?]

Ben McGinnes ben at adversary.org
Mon Mar 14 02:06:26 CET 2011

On 14/03/11 11:44 AM, MFPA wrote:
> On Sunday 13 March 2011 at 5:02:52 PM, in
> <mid:4D7CF8BC.3060509 at adversary.org>, Ben McGinnes wrote:
>> I'd hardly call it "flashing lights" just to be listed on the
>> keyserver, especially when the same data source also contains a
>> large amount of effectively useless data in which any key on the
>> servers is buried amongst.
> Ok, you know what I mean. When you have found the key, all user IDs
> are readable and the information is clearly visible. Compared to a
> key showing only hashes in the user IDs, this is like having the
> information up in lights for all to see. (-:

I can't speak for everyone else, but I've always taken the term of
saying something is in "flashing lights" to mean that something is
drawing attention to that thing.  The existence of a UID being in a
human readable format on a keyserver doesn't really fit that category.

>> Speaking of which, I presume key ID 0x992F6351 is one of your
>> tests?
> Without looking at it I couldn't comment; I have a handful out there.
> (-;

Well, the name kind of gives it away:

N.O. Hashing <EB089BE1992F6351_uploaded_20100303.mfpa at dfgh.net>
  2048 bit RSA key 992F6351, created: 2010-03-03

> Last I heard, dfgh.net was one of the domains whose owner allows its
> use as an alternative to spamgourmet.com. If it has changed hands, the
> new owner could be in for a shock...

The whois data says it's been registered for a few years, so it
probably hasn't changed hands.

Anyway, out of curiosity, did you ever receive spam by that address
and prove it had been harvested from the keyservers?  I still think
harvesting addresses from the keyservers is too much effort for
spammers, who mostly generate the target addresses, but it would be
nice to finally answer that question.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110314/464e6241/attachment.pgp>

More information about the Gnupg-users mailing list