-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Tuesday 24 January 2012 at 3:21:35 PM, in <mid:4f1ecc7f.6060...@fifthhorseman.net>, Daniel Kahn Gillmor wrote: > What you're looking to do with this proposed > hashed-user-id scheme is to find a way to avoid > allowing people to enumerate e-mail addresses or User > IDs from the data contained on the keyservers. Right? That is basically it, yes. > Certainly, the keyservers will continue to support > non-digested User IDs, so now tools will need to be > able to handle both of them; we'll also need a policy > for end-user agents to answer questions like "when > looking up this e-mail address, do i send it only in > digested form to the keyservers for lookup? That would fail to return keys that had UIDs containing the non-hashed string, unless the keyservers stored hashes for all plaintext UIDs. > or do i > send it in cleartext form as well, thereby leaking the > e-mail address to the keyserver operators Or do I send the hash to one keyserver and the plaintext to another, thereby doubling the number of enquiries. > (and to anyone on the network path)? and use SSL to exclude anyone on the network path? > Ultimately, i don't think the tradeoffs for this scheme > are worthwhile for the marginal and limited gain that > the proposal provides. Definitely limited; I think of it as little more than a privacy-enhancing defence against casual snooping rather than a security measure. But is it really so marginal? > I'd love to find a solution to > the User ID enumeration problem, but i don't think > hashed-user-ids is it. As I see it, you either:- include the UIDs in non-human-readable form (e.g. hashed) in the key that's distributed. or you distribute UIDs separately from their key. or when you download a key the copy you get includes only the UID you requested. - -- Best regards MFPA mailto:expires2...@rocketmail.com An idealist is a person who helps other people to be prosperous -----BEGIN PGP SIGNATURE----- iQCVAwUBTyCmQKipC46tDG5pAQrsIgQAlAZLfIcxdbI9DjmHwJlzaMAmIeh4SCgj P4ZExLyV1srr4kBypd/UqvmeqQddCeoejuigiFzwh42BCTgTrLWbpbAnzcoJTSnE 1Ps8Mg1B29PUH0cbYSrNVyE1ZzUdpGlvxZneWYjzJwLmq3rsqW9lVodIim/ZMR0f ppmHK42ugr4= =A7ih -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users