Hide UID From Public Key Server By Poison Your Key?

Robert J. Hansen rjh at sixdemonbag.org
Tue Jan 16 01:01:52 CET 2018


> Just an idea, it might be more efficient if I just
> commit online suicide (throw away my current
> identity).

I should also add: in addition to being a dick move, this approach
doesn't work.  It's genuinely counterproductive.

If I were to see a certificate with a hundred different UIDs, I'd
immediately start digging around.  This is not what you want: in the
course of poisoning your cert you've made it odd, unusual, and interesting.

Next thing I'd do would be to start scouring the internet for these
usernames.  Most would simply not have any trail associated with them
whatsoever: I'd email them and get bounce messages to confirm it.  I've
now largely cured your attempt at poisoning your cert.  I'm down to a
handful of user IDs.

One of them will have a very carefully-curated digital trail.  The
others will not.  Congratulations: I've just found the identity you want
to keep secret.  Now I know there's some connection between this
identity and the small number of user IDs that are left after depoisoning.

Now it's just a matter of time until I figure out who you are and what
fake identity you're using... and here's the rub: until I saw over 100
UIDs on your cert, I wouldn't have given a damn and wouldn't have bothered.

The worst thing you can do in your situation is to draw attention to
your mistake.  Your poisoning attempt is genuinely counterproductive.
You're making yourself visible.

I cannot advise against this course of action strongly enough.  Burning
your current fake identity is probably far safer and more effective.



More information about the Gnupg-users mailing list