hash email addresses / directory privacy enhancement

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Tue Apr 29 01:17:30 CEST 2014

Hash: SHA512


On Monday 28 April 2014 at 5:49:30 PM, in
<mid:CADeCvyctpQ8FNcmfOeXXJTYGYAspc6ymERqdt72duw2FoCLgng at mail.gmail.com>,
John Wofford wrote:

> I apologize if this has been discussed before,

I have taken part in such discussions before. A quick search suggests
to look in the list archives for around July 2010, Feb/March 2011, and
January 2012.

> but
> wouldn't it make sense to run email addresses through a
> one-way hash before uploading them to a keyserver?

I would love to do this for both email addresses and names, for
privacy reasons.

> It
> seems trivial for spammers to scrape all uploaded keys
> for addresses at this point in time.

Probably quicker and easier for spammers to just randomly generate
addresses. And there will be so many out-of-date email addresses on
the keyservers that it would not be worth the effort to scrape them.

I have a key on the servers for just over four years now with a valid
address that has been used for no other purpose and has not received a
single email. OK, not a statistically valid experiment but I'm sure
plenty of others have done similar.

> For example, I upload key associated with address
> john.smith at example.com to an SKS keyserver. Rather than
> having the key associated "john.smith at example.com", I
> think it would make more sense to associate and be
> searchable by hash XYZ.

In previous discussion, knowledgeable people tell me they see
little-to-no merit in the suggestion.

> Therefore, public keys are all
> still accessible and public, but a user would need to
> have the knowledge of email address
> "john.smith at example.com" before using the key (rather
> than just "browsing" a dump).

There is little or no evidence of this type of spam.

- --
Best regards

MFPA                    mailto:2014-667rhzu3dc-lists-groups at riseup.net

To know what we know, and know what we do not know, is wisdom.


More information about the Gnupg-users mailing list