Creating a key bearing no user ID

[Robert J. Hansen]

On 1/24/2012 11:10 PM, John Clizbe wrote:
> However, testing I did a few years ago found the amount of SPAM attributable to
> a key on a keyserver was not significantly different from that received as just
> random SPAM noise from an unused ISP account.

My own experience may be worth mentioning.  I had (have) an email
account that's only ever mentioned in one place, on a certificate of
mine.  For several weeks it received no spam, and then in the space of a
couple of days the spam volume was indistinguishable from any other
account.  My conclusion from this is once the spammers know they have a
hit, they share your email address quickly.  The deluge goes from "a
trickle" to "a firehose" in the space of a day or two.

> The same issues remain untouched just like the countless other times you've
> brought up this idea. What are it specifications? Is there any support from the
> IETF OpenPGP working group? Is there an implementation of your idea?

While these questions are certainly apt, I'd like to see a firm
theoretical foundation for the idea.  We don't have a solid theory for
how to achieve MFPA's desired end.  Until we do, I think all discussion
about implementation is premature.

Without a strong theoretical foundation, talk about blinded hashes of
email addresses is sort of like talk about perpetual motion machines:
yes, it would be lovely to have them, but we don't have the first clue
how to do it.  The burden is not on the critics of these ideas to prove
they are impossible: the burden is on the advocates of these ideas to
show they are possible.

Casting aspersions as to the motives of critics puts one in the same
ranks as cancer cure quacks who defend themselves against their critics
in mainstream oncology by saying, "well, of course they want you to stay
sick."