hashed user IDs redux [was: Re: Creating a key bearing no user ID]

Peter Lebbing peter at digitalbrains.com
Thu Jan 26 12:07:15 CET 2012

On 25/01/12 23:55, Daniel Kahn Gillmor wrote:
> If people use e-mail addresses like this, then they could probably just
> derive the high-entropy-portion of their e-mail address from their key's
> fingerprint directly, and attach only a User ID like "anonymous".
> e.g.
>   dkg--noenum-0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 at fifthhorseman.net
> Then no keysigning would be needed as anyone who knows the e-mail
> address already knows the key to use, and the key is fetchable from the
> keyservers by keyid directly.
> This can all be done with the current toolchain, without modification,
> afacit.  The only problem is that you'd have to adjust your MUA to tell
> it which key to use explicitly for mailing to addresses like this.  If
> you think this is the way to go, maybe you should talk to MUA
> developers, or propose a mechanism or heuristic gpg could use to
> pre-select keys from e-mail addresses like this.

I like it. I was thinking along the same lines, but you were a big step ahead of
me. I hand't thought of the fingerprint. I think you might have just solved the
whole issue with a much better solution!

I don't think you can add entropy to an e-mail address and end up with a
solution that is more elegant than what you just proposed with the fingerprint.

> Please propose an alternate scheme that you think would be an
> improvement if you think such a scheme exists.

You just did yourself ;D.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt

More information about the Gnupg-users mailing list