hash email addresses / directory privacy enhancement
2014-667rhzu3dc-lists-groups at riseup.net
Tue Apr 29 01:17:30 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
On Monday 28 April 2014 at 5:49:30 PM, in
<mid:CADeCvyctpQ8FNcmfOeXXJTYGYAspc6ymERqdt72duw2FoCLgng at mail.gmail.com>,
John Wofford wrote:
> I apologize if this has been discussed before,
I have taken part in such discussions before. A quick search suggests
to look in the list archives for around July 2010, Feb/March 2011, and
> wouldn't it make sense to run email addresses through a
> one-way hash before uploading them to a keyserver?
I would love to do this for both email addresses and names, for
> seems trivial for spammers to scrape all uploaded keys
> for addresses at this point in time.
Probably quicker and easier for spammers to just randomly generate
addresses. And there will be so many out-of-date email addresses on
the keyservers that it would not be worth the effort to scrape them.
I have a key on the servers for just over four years now with a valid
address that has been used for no other purpose and has not received a
single email. OK, not a statistically valid experiment but I'm sure
plenty of others have done similar.
> For example, I upload key associated with address
> john.smith at example.com to an SKS keyserver. Rather than
> having the key associated "john.smith at example.com", I
> think it would make more sense to associate and be
> searchable by hash XYZ.
In previous discussion, knowledgeable people tell me they see
little-to-no merit in the suggestion.
> Therefore, public keys are all
> still accessible and public, but a user would need to
> have the knowledge of email address
> "john.smith at example.com" before using the key (rather
> than just "browsing" a dump).
There is little or no evidence of this type of spam.
MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net
To know what we know, and know what we do not know, is wisdom.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users