hash email addresses / directory privacy enhancement

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Tue Apr 29 01:17:30 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Monday 28 April 2014 at 5:49:30 PM, in
<mid:CADeCvyctpQ8FNcmfOeXXJTYGYAspc6ymERqdt72duw2FoCLgng at mail.gmail.com>,
John Wofford wrote:


> I apologize if this has been discussed before,

I have taken part in such discussions before. A quick search suggests
to look in the list archives for around July 2010, Feb/March 2011, and
January 2012.



> but
> wouldn't it make sense to run email addresses through a
> one-way hash before uploading them to a keyserver?

I would love to do this for both email addresses and names, for
privacy reasons.



> It
> seems trivial for spammers to scrape all uploaded keys
> for addresses at this point in time.

Probably quicker and easier for spammers to just randomly generate
addresses. And there will be so many out-of-date email addresses on
the keyservers that it would not be worth the effort to scrape them.

I have a key on the servers for just over four years now with a valid
address that has been used for no other purpose and has not received a
single email. OK, not a statistically valid experiment but I'm sure
plenty of others have done similar.



> For example, I upload key associated with address
> john.smith at example.com to an SKS keyserver. Rather than
> having the key associated "john.smith at example.com", I
> think it would make more sense to associate and be
> searchable by hash XYZ.

In previous discussion, knowledgeable people tell me they see
little-to-no merit in the suggestion.



> Therefore, public keys are all
> still accessible and public, but a user would need to
> have the knowledge of email address
> "john.smith at example.com" before using the key (rather
> than just "browsing" a dump).

There is little or no evidence of this type of spam.


- --
Best regards

MFPA                    mailto:2014-667rhzu3dc-lists-groups at riseup.net

To know what we know, and know what we do not know, is wisdom.
-----BEGIN PGP SIGNATURE-----

iPQEAQEKAF4FAlNe4ZNXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5p27sD/Ard/Mx55WfbPNnjIfM1D2mhvuVIKpwwzvPE
FP0HBET0bXYRnGpxmxY8+vQyJDucELCfcITSb9e5KpR/dLq0lwznS/4fI2znBUq+
VRL25WA6WKBHEKT9qOtECSk6I2dah+BnJWB+B/+T/7FsnSO3S9bByZ+95NJRDfk+
EkEKCQCQ
=DA3e
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list