hashed user IDs redux [was: Re: Creating a key bearing no user ID]
expires2012 at rocketmail.com
Sat Jan 28 20:34:49 CET 2012
-----BEGIN PGP SIGNED MESSAGE-----
On Friday 27 January 2012 at 10:49:43 AM, in
<mid:4F228147.7090401 at digitalbrains.com>, Peter Lebbing wrote:
> Hi MFPA,
> Can I ask what about the
> dkg--noenum-0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 at fifthhorseman.net
> form does not satisfy your requirement that the
> mailinglisten--noenum-zTTgFzNHU3RnkFyAxJuYMbs7 at hauke-laging.de
> does? Or do you not agree with the latter form either?
Is the idea that email addresses in the latter form contain
enough entropy to render enumeration infeasible, so they could
usefully be hashed and the digest placed in a UID? If so, it is a
small enough price to pay.
The scheme to use the fingerprint in the email address is interesting
because it neatly avoids the need for keysigning. I'm not sure what it
adds towards obscuring searchable information in UIDs - does the fact
that the fingerprint is known for the specific key mean it doesn't
really add much entropy? Or is the point that searching on the email
address doesn't find the key, you have to search for the fingerprint
(and the UID doesn't contain the email address at all, not even
> I'm not sure of your requirements. I thought all that
> was needed was a way to find a key belonging to an
> e-mail address without requiring the e-mail address to
> be in the UID.
The requirement I stated (or thought I had) was that the email address
(or name) could not be determined from the UID but searching a
keyserver for the email address (or name) would find the key.
Using the fingerprint is an interesting workaround. Would a search for
"dkg--noenum-0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 at email@example.com"
find the key with fingerprint
"0EE5BE979282D80B9F7540F1CCD2ED94D21739E9" or would the user need to
just search for "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9" to get the
MFPA mailto:expires2012 at rocketmail.com
If it aint broke, fix it till it is broke!
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users