Don't send encrypted messages to random users

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Thu Jun 1 03:24:17 CEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Tuesday 30 May 2017 at 8:42:04 PM, in
<mid:tp1i29fufmf7xv.fsf at menglehorn-lt.lan.zayoms.net>, Michael
Englehorn wrote:-


> Also, it would be strange to only publish your key's
> "name only" UID to the
> keyserver, because then at a keysigning event I
> wouldn't know where to
> send your public key back to, and I couldn't certify
> any of your e-mail
> addresses.


A user can use hashed instead of human-readable forms of their name
and/or their email address in a key's user-ids. The email address (or
name) cannot be determined from simple inspection of the UID. Just a
defence against casual snooping on the information in user-ids, not a
security measure but the "incident" that gave rise to this thread is
prevented. The downside is that using the cleartext email address (or
name) as your search string doesn't find the key from a keyserver and
the email client fails to match the key by email address, rendering
those UIDs largely useless.

It has been discussed here before, and dismissed by people cleverer
than me, that the hashed version could be searched for as well as the
readable version to locate a key from the local keyring or from
keyservers. A member of PGPNET produced some Python scripts as an
exercise in seeing what might go into this, when we last discussed the
idea over there about three years ago.

- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

No matter where you go, there you are.
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWS9sw18UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5OYaAP9n45Ojx5tHSw3KcGFbNmoq63sXckEqjQgiWsbQ1EG4SwD9Gw2P2/826VT4
+W5na/kbL1Dz+EveaMHG+z54V8Cn4w6JAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWS9syl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8JYvB/9WQFZRychf3xx9Xh3S+QRWIV4Y
dZ7Ph7rG2VOlwPVUi0/zqIycnjFQNcFRSGojnHfZE07+hDHXq3/e+epxUbYrpys9
aGf/Bj5N0sPKU8/kLAFbUsclFbGyz6/mrjALlLgyEQXYAYJ8JdgkAbifUW7Xkc4O
Nx3HyUQE2hbzmWo4BU2xl7ummTjPthvrZnaDvRkjlX/eG1x2Y87d/2GjLqsSbM9Q
tooQLkf5yyY42QFyPRg9TZehv8bfYq0SMiVmft4LPf8HtuI1lCVUb8YnExqwcSs2
BnjSaAE+aafdEIPXU3g938PIdctZocemMuxImT2ql9TN1/tWGtuKA6yRPkEY
=ndHi
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list