hashed user IDs redux [was: Re: Creating a key bearing no user ID]

Peter Lebbing peter at digitalbrains.com
Sun Jan 29 10:05:28 CET 2012


On 28/01/12 20:34, MFPA wrote:
> Or is the point that searching on the email address doesn't find the
> key, you have to search for the fingerprint (and the UID doesn't contain
> the email address at all, not even obscured)?

Yes, exactly. The UID just says "Anonymous" or whatever you want it to say.

> or would the user need to just search for 
> "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9" to get the key?

Yes. Either the user needs to be this savvy, or his tools (MUA, or GnuPG)
needs to recognise the special form e-mail address and do this.

To automate it, either the MUA or GnuPG needs to recognise the special form
e-mail address, but no other changes are necessary (f.e. the keyserver can
stay the same).

By the way, the way I see it, the e-mail address really exists. You can mail
to dkg--noenum-0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 at fifthhorseman.net
and it arrives. Demanding the MUA to automatically strip it and mail
dkg at fifthhorseman.net instead really hinders adoption.

I assumed Hauke Laging's high-entropy e-mail address variant also needed the
e-mail address to actually exist, otherwise I don't see how that variation
could meet the requirements, namely that possession of the e-mail
address is enough to get someones public key.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt



More information about the Gnupg-users mailing list