Creating a key bearing no user ID

Robert J. Hansen rjh at sixdemonbag.org
Mon Jan 23 09:09:55 CET 2012


> Keyserver SPAM is a straw-man argument. Yes, it's possible for an 
> address to be pulled from the key on a keyserver, in fact, I'm 
> convinced harvesting probably takes place.

As am I.  However, it should be pointed out that this is no reason to
avoid using the keyservers.

One of the best ways to evaluate a defensive mechanism is whether it can
recover from a failure.  Consider securing your home.  A lock on the
front door is good, but once the thief is in past your front door the
lock is pointless.  It can't recover from a failure.

Being friends with your neighbor is a much better security mechanism.
If your neighbor doesn't see the burglars breaking in, they still might
see the burglars leaving, or be able to tell the cops "yes, there were
some strange people hanging around that place yesterday, watching it and
stuff, they were driving a...".  Even if in one particular moment your
neighbor fails, your neighbor can still come back to be a useful and
effective mechanism.  Good neighbors are a better security mechanism
than good locks.

(This may count as "old as the hills" wisdom: Proverbs 27:10 says
something like, "Better a neighbor nearby than a brother far away."
I've yet to find any 4,000-year-old proverbs extolling the virtues of
locks, much less any that are as true today as when they were first spoken.)

The same reasoning explains why keeping your email address hidden is a
poor spamfighting technique.  You have to *always* keep the email
address hidden, and the first time it gets published you have to assume
the spammers now have it.  All that time, effort, energy, stress and
frustration you put into keeping your email address unpublished is now
wasted: all you did was delay the inevitable by a few days, a few weeks,
maybe a few months.  Like the lock which, once bypassed, provides no
help whatsoever, your ascetic ways, once bypassed, give no benefit.

On the other hand, good spam detectors have wonderful failure recovery
modes.  If a piece of spam gets through, well, train the spam detector
to do a better job: the next time that spam won't get through.




More information about the Gnupg-users mailing list