hashed user IDs redux [was: Re: Creating a key bearing no user ID]

Robert J. Hansen rjh at sixdemonbag.org
Fri Jan 27 02:29:07 CET 2012

On 1/26/2012 6:41 PM, MFPA wrote:
> The use of the word "harvesting" in this context suggests to me a 
> concern about spamming rather than about privacy.

The use is correct.  Spamming is what someone does once they have your
private information: harvesting is the act of collecting.

> And I would like the ability to protect my name as well as (or
> instead of) my email address.

One windmill at a time, my ingenious gentleman of La Mancha.

> Is "without requiring any extensions" a necessary requirement?

"Necessary" is a strong word.  The consequence of extending it is you
get to be the one to write the extensions (both in RFC and source-code
form) and maintain them across a whole raft of other operating systems
and hardware configurations.

> If a solution were feasible that required an extension or a local 
> proxy to handle the keyserver queries, why should it be discarded?

A local proxy is not an extension.  An extension means "we're going to
break conformance with the OpenPGP spec" or "we're going to break
compatibility with the SKS keyserver network."

If you break conformance with the OpenPGP spec, then you get to build
the new spec.  If you break compatibility with the SKS network, then you
get to build a new network to replace it.

> Why would a spammer network bother to generate email addresses and 
> submit them as keyserver queries, rather than just sending spam out
> to them all?

I have been waiting for you to realize this.

*Even if you solve the key enumeration problem, you solve nothing.*  It
doesn't get you anything, because the email enumeration problem is just
as bad.

> For want of a better analogy, the names and email addresses readable 
> from User IDs on the keyservers are akin to listings in the phone 
> book. The names and email addresses that cannot be read because they 
> are obscured in blinded User IDs are akin to unlisted phone numbers.

And yet, my two unlisted cell phones both routinely get robocalls and
telemarketers.  They, too, work by enumeration.

More information about the Gnupg-users mailing list