On 2/28/11 7:09 PM, Daniel Kahn Gillmor wrote: > On 02/28/2011 06:38 PM, David Shaw wrote: >> I think the problem here is the large size of the deployed infrastructure >> that expects user IDs to have email addresses in them combined with the >> relatively few people who are asking for this feature. To make this change, >> you'd have to have a keyserver that could search in that manner, plus client >> support to make the hashes when talking to the keyserver, etc. You'd have >> to handle the very-small-but-non-zero chance of a hash collision in the user >> ID, too. > > the folks in the monkeysphere project have put some thought and work > into trying specify how this sort of thing should be approached. > > however, i'm not convinced that hashed user IDs saves much against even > a moderately dedicated attacker, for the same reason that dan bernstein > rightly points out the failure of NSEC3 to avoid zone enumeration: > > http://dnscurve.org/nsec3walker.html > > --dkg >
I was actually just thinking about monkeysphere with regards to this topic. You guys basically came up with a loose pretty-obvious standard for key names and wrote the tools from there. Ultimately, the keyservers don't care or need to know what a UID is at all. I think something similar could be done with hashed emails. Just some (non)standard like: hashed_uid://$SHA1_OF_EMAIL/$RIPEMD_OF_EMAIL But using something better than my obviously naive hash-collision prevention algorithm. If that could be agreed on, you could probably get a few mailing list regulars to add that ID in addition to their normal UIDs. From there start with a shell script that writes out a correct 'gpg --search-keys' request. Then on to more advanced things, like adding hashed_uid search to the default sks-keyserver pages, enigmail integration, etc. Really the only problem is that MFPA is stuck doing all the work until (if ever) the (non)standard starts to take off. And it's a lot of work. -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war."
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users