Re: Why hashed User IDs is not the solution to User ID enumeration
On 1/28/2012 2:24 AM, John Clizbe wrote: I don't see a way that a rolling-upgrade to a no-modify supporting version could be accomplished without breaking things in the process. The only way I can envision doing this to to form a completely new network and let servers migrate into it as they upgrade to the no-modify supporting version. In a way, that's also undesirable as it divides the widely distributed network in two. There's also a human factors element, which we're currently handwaving. If I have a copy of 0xDECAFBAD's certificate that has five UIDs, all of which have trusted signatures on them, and a second copy that has seven UIDs, five of which I consider valid due to having trusted signatures on them, well -- which of the two is canonical? The OpenPGP answer is neither: validity and trust are not the same as canonicity. However, human beings tend to get rather obsessed with canonicity. Look at the kerfuffle over our President's birth certificate record. The original one is on file somewhere in a Hawai'i government office: a differently-formatted copy of the birth certificate was given to the press. Both documents are equally valid. Neither document is canonical. The U.S. public had a hard time wrestling with that: a whole lot of people sincerely believed the presence of two equally-valid but differently-formatted birth certificate records meant something was hinky. Now imagine explaining to new OpenPGP users that yes, sometimes you'll get a copy that has 5 UIDs and sometimes you'll get one that has 7, depending on which keyserver you query, but both of them are equally valid. Same thing. And before anyone says, well, yeah, but the huge deal about the President's birth certificate was the product of a whole lot of political paranoia by whackjobs, I will point out that one thing our community has *never* lacked for is paranoid whackjobs. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why hashed User IDs is not the solution to User ID enumeration
On 1/28/2012 12:48 AM, Jerome Baum wrote: It isn't just that no one's written the code: it's there's no community consensus to deploy such code, even if it were written. It would be a pretty major flag day. After all, if one keyserver enforces it and others don't, then that's going to create a pretty obvious syncing problem. What syncing problem is that? Wouldn't the crypto-supporting keyserver simply sync out (provide to other keyservers) it's published packets and sync in everything (yet drop packets without a publish signature)? We have two scenarios: either the no-modify keyserver retains all the now-ignored signatures or else it doesn't. For sake of argument, let's call the no-modify keyserver 'Alice', and the old keyserver 'Bob'. Scenario 1: Alice throws away the now-ignored data. Bob: Hi, Alice! Let's sync. Alice: Hi, Bob! I see we have different records for 3,731 certs. Bob: Here you go, Alice! Alice: Thanks. [reads 3,731 certs, strips off now-verboten UIDs] ... five minutes later ... Bob: Hi, Alice! Let's sync. Alice: Hi, Bob! I see we have different records for 3,731 certs. Bob: Here you go, Alice! Alice: Thanks. [reads 3,731 certs, strips off now-verboten UIDs] [24 hours and a few million redundant cert exchanges later] To: Alice's Administrator ad...@alice.org From: Bob's Administrator ad...@bob.org Subject: FIX YOUR BROKEN KEYSERVER ALREADY I've removed you from my peer lists until you can fix your installation. Scenario 2: Alice retains the now-ignored data, serving to GnuPG clients the version that honors no-modify, and serving to other keyservers the full version Bob: Hi, Alice! Let's sync. Alice: Are you a GnuPG client or a keyserver? Bob: [glazed look in his eye] I'm sorry, Alice, that's not a request I understand. I'm an SKS keyserver, version 1.1.2. Could you repeat? Scenario 2a: As with 2, but now we have an SKS 1.1.3 that somehow identifies itself as being a keyserver and not a GnuPG client. Bob: Hi, Alice! Let's sync. Alice: Are you a GnuPG client or a keyserver? Bob: Why, a keyserver, of course. Alice: Cool! Here, have these certs, complete with the data that you shouldn't distribute outside of the keyserver network. Remember, that stuff is for us to use for ease of sync, not to be given to end-users under any circumstances, or else they'll wonder what the point is in the no-modify flag! Bob: Uh. Sure. Whatever you say, Alice. (Bob, being a 1.1.3 SKS server, has no idea what Alice is talking about: he doesn't support no-modify.) Scenario 2b: As with 2, but now imagine you have a malicious host, Mallory, who wants to get full certificates. Mallory: Hi, Alice! Let's sync. Alice: Are you a GnuPG client or a keyserver? Mallory: [twirls Snidely Whiplash moustache] A keyserver! Alice: Here, have all these certs, complete with the UIDs that shouldn't be distributed outside the keyserver network! ... Short version: for no-modify to work with the existing keyserver network, everyone would have to make the cutover or else the network would drown in sync messages. There's a real possibility that if just a few hosts didn't make the cutover that the keyserver network could go down, DDoSing itself into absolute oblivion as it desperately tried to sync keys infinitely. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why hashed User IDs is not the solution to User ID enumeration
On 2012-01-28 09:26, Robert J. Hansen wrote: ... Short version: for no-modify to work with the existing keyserver network, everyone would have to make the cutover or else the network would drown in sync messages. There's a real possibility that if just a few hosts didn't make the cutover that the keyserver network could go down, DDoSing itself into absolute oblivion as it desperately tried to sync keys infinitely. Scenario 2a, until all keyservers are upgraded (even over a period of years). Then just flip the switch to disable sync with old keyservers. But I don't think no-modify makes sense anyway, like I said. Just an interesting problem. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA -- nameserver 217.79.186.148 nameserver 178.63.26.172 http://opennicproject.org/ -- No situation is so dire that panic cannot make it worse. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why hashed User IDs is not the solution to User ID enumeration
On Sat, 28 Jan 2012 02:52, jpcli...@tx.rr.com said: Having keyservers support no-modify requires that they first support crypto. That's a really big step. And a dangerous step. With keyservers doing crypto, beyond a possible TLS connection, they will be very low hanging fruit for DDoS attacks. With today's cheap botnets it will be very easy to flood the keyservers with requests to add new user ids or signatures. Even if they queue the requests they will be unresponsive and worse it will not be possible to upload legitimate key updates (e.g. revocations). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs redux [was: Re: Creating a key bearing no user ID]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 27 January 2012 at 12:48:30 AM, in mid:4f21f45e.7060...@dougbarton.us, Doug Barton wrote: put whatever you like in the name and e-mail fields, and notify the people you communicate with Which is exactly what I do already, using a key with MFPA a@b.c as its sole User ID. There is no software modification needed to accomplish what you want to do. I also want people who already have an email address for me (or potentially a name, if not too common) to be able to use that as a search string to find my key from a server. To achieve the two simultaneously would need some string in the UID that could be found by searching for the email address or name but could not be converted back to that search string. - -- Best regards MFPAmailto:expires2...@rocketmail.com I don't suffer from insanity I enjoy every minute of it. -BEGIN PGP SIGNATURE- iQCVAwUBTyPpTKipC46tDG5pAQoRdQQAmTp5Y5wvBa133VaEOvouavR5uK97hHFT RAkFvZfxIDJvnjO7v+13fS7eoZ8bERQRapi1GWUNyAUVMMeDY0Tgyi/MhhXOH/E+ 6rV/W3G2w119PFhK5HxfCr+Fg0bTFmSKxfQikV808yFMVynuoZptXG0snxEVgura abSGW5bL9RU= =A49c -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[META] please start To: with gnupg-users@gnupg.org, i.e.: To: gnupg-users@gnupg.org
gnupg-users@gnupg.org This is not directed at any one individual; also, other mailing lists have the same problem imho. Ideally, (my ideal), the generic one would simply address e-mails to gnupg-users@gnupg.org as (a)To: gnupg-users@gnupg.org nothing more, nothing less. Such an addressing scheme makes it easy to filter and order gnupg-users@gnupg.org e-mails. Instead, there's substantial variation, examples: (b) To: gnupg-users@gnupg.org Cc: x...@y.tld (c) To: x...@y.tld Cc: gnupg-users@gnupg.org (d) To: Cc: gnupg-users@gnupg.org (e) To: x...@y.tld, gnupg-users@gnupg.org (f) To: gnupg-users@gnupg.org, x...@y.tld (b) and (f) are not such a problem for filtering and/or ordering because they are similar to (a). (c), (d), and (e) do not filter/order well. (d) is the worst form imho because e-mails without a To: component are the most likely to end up in one's spam folder; in some cases, depending on one's isp, such e-mails might not even be delivered to one's client pc, i.e., they might be rejected at some mail server's gateway. FWIW, e-mail does not really have a To:, Cc:, or Bcc: field; all three are embellishments added by the e-mail client software. Behind the scenes, To:, Cc:, and Bcc: are ALL simply RCPT-TO. Please, and thank you. Regards, Gerry __ Gerry Lowry, Partner http://twitter.com/gerryLowry1947 Ability Business Computer Services ~~ Because it's your Business, our Experience Counts! 68 John W. Taylor Avenue Alliston Ontario Canada L9R 0E1 705.250.0112 gerry.lo...@abilitybusinesscomputerservices.com https://www.gerrylowryprogrammer.com http://abilitybusinesscomputerservices.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [META] please start To: with gnupg-users@gnupg.org, i.e.: To: gnupg-users@gnupg.org
On Sat, Jan 28, 2012 at 06:49:27AM -0500, gerry wrote in 005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com: gnupg-users@gnupg.org This is not directed at any one individual; also, other mailing lists have the same problem imho. Ideally, (my ideal), the generic one would simply address e-mails to gnupg-users@gnupg.org as (a)To: gnupg-users@gnupg.org nothing more, nothing less. Such an addressing scheme makes it easy to filter and order gnupg-users@gnupg.org e-mails. Or filter on the List-Id header perhaps. That one is always set when you receive mail from the mail list. Seems easier to set such a filter than to expect the world to be trained into sending email in your preferred way. (Also, apply such a filter then before any spam blocking on empty To: lines etc.) Cheers, Remco signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [META] please start To: with gnupg-users@gnupg.org, i.e.: To: gnupg-users@gnupg.org
On 2012-01-28 12:49, gerry lowry +1 705 250-0112 alliston ontario canada wrote: FWIW, e-mail does not really have a To:, Cc:, or Bcc: field; all three are embellishments added by the e-mail client software. Behind the scenes, To:, Cc:, and Bcc: are ALL simply RCPT-TO. FWIW, (MIME) e-mail does really have a To: and a Cc: field. It also has an implied Bcc: field (not on To: or Cc:). Behind the scenes, To:, Cc:, and Bcc: are ALL simply FIELDS. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA -- nameserver 217.79.186.148 nameserver 178.63.26.172 http://opennicproject.org/ -- No situation is so dire that panic cannot make it worse. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: [META] please start To: with gnupg-users@gnupg.org, i.e.: To: gnupg-users@gnupg.org
Hello Remco and Jerome,
FWIW, with Microsoft Outlook Express under WinXP, to view your responses, I
must explicitly open (Remco's 666 byte/Jerome's 549
byte) attached body documents in an editor;
alternately, I can display the message properties:
Alt+Enter== display properties
Ctrl+Tab == move to the details page
Alt+M== show message source
Alt+Space, x == maximize
Page Down== to begin viewing your actual reply.
With Microsoft Outlook 2010, you messages appear more easily BUT are also shown
as attachments.
Thank you both for replying:
Remco Or filter on the List-Id header perhaps. That one is always set when
you
receive mail from the mail list.
{GL} this would work, BUT I already have very many filters for other purposes,
plus, if others would address messages as per my
suggestion, the filter would be unnecessary; likely many users have no idea as
to how to set a filter.
Remco (Also, apply such a filter then before any spam blocking on empty To:
lines etc.)
{GL} Remco, you've missed my point ... spam blocking also occurs for many
individuals at or before your incoming e-mail ever gets
downloaded to their computer.
Jerome FWIW, (MIME) e-mail does really have a To: and a Cc: field. It also has
an implied Bcc: field (not on To: or Cc:). Behind the scenes, To:, Cc:,
and Bcc: are ALL simply FIELDS.
{GL} is that not what, for all intents and purposes, i wrote?
FWIW, e-mail does not really have a To:, Cc:, or Bcc: field;
all three are embellishments added by the e-mail client software.
Behind the scenes, To:, Cc:, and Bcc: are ALL simply RCPT-TO.
if the sender's e-mail client did not add the FIELDS, the recipient would
see NOTHING for To:, Cc:, Bcc.
if the sender is NOT using an e-mail client (i.e., sending manually),
she/he would
(a) type RCPT-TO x
for each intended recipient. E-mail client software also must insert
RCPT-TO.
She/he could add the FIELDS to the beginning of the message body;
FIELDS do not in the raw data exist outside of the message body.
Cheers,
Gerry
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs redux [was: Re: Creating a key bearing no user ID]
MFPA wrote: On Friday 27 January 2012 at 12:48:30 AM, Doug Barton wrote: put whatever you like in the name and e-mail fields, and notify the people you communicate with Which is exactly what I do already, using a key with MFPA a@b.c as its sole User ID. There is no software modification needed to accomplish what you want to do. I also want people who already have an email address for me (or potentially a name, if not too common) to be able to use that as a search string to find my key from a server. To achieve the two simultaneously would need some string in the UID that could be found by searching for the email address or name but could not be converted back to that search string. This is simpler than you're trying to make it. Try this experiment gpg --keyserver pool.sks-keyservers.net --search-keys gswot Note that the search results returns the key and all the UIDs if just one of the UIDs contains your search term. The keyservers break a UID down into words and index each word. If I search for MFPA, I'll get all keys that have an UID containing MFPA along with all the UIDs on those keys. To achieve the two goals, you only need to put each in its own UID. Just remember once they locate the matching key, they will have all the information in all the UIDs. You may need --allow-freeform-uid as Werner pointed out earlier when creating these User IDs. Sorry, but there is no way to only return a single UID matching the search term. Things were never designed that way. (So there's really no reason not to put all three in a single ID.) -- John P. Clizbe Inet:John ( a ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:Just how do the residents of Haiku, Hawai'i hold conversations? A:An odd melody / island voices on the winds / surplus of vowels ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [META] please start To: with gnupg-users@gnupg.org, i.e.: To: gnupg-users@gnupg.org
On 28/01/12 12:49, gerry lowry +1 705 250-0112 alliston ontario canada wrote:
(d) To:
Cc: gnupg-users@gnupg.org
[...]
(d) is the worst form imho because e-mails without a To: component
are the most likely to end up in one's spam folder; in some cases,
depending on one's isp, such e-mails might not even be delivered
to one's client pc, i.e., they might be rejected at some mail
server's gateway.
This is a heuristic: RFC2822/RFC5322 do not require the field to be present, but
if there isn't one, it increases the probability the mail is spam. Rejecting a
mail for not having this field, while the rest doesn't look very spammy, is
overly zealous, and I would be upset with the person who installed such a filter
on my mailbox.
In the default SpamAssassin setup, it seems not having a To:-field is one point
towards the 5 points needed to be marked as spam. Note that other aspects might
deduct points and you can end up negative (which is a good thing).
FWIW, e-mail does not really have a To:, Cc:, or Bcc: field;
all three are embellishments added by the e-mail client software.
Behind the scenes, To:, Cc:, and Bcc: are ALL simply RCPT-TO.
You are confusing different layers. SMTP doesn't care about those fields, but
the Internet Message Format RFC's, 2822 and 5322 do. You are confusing
envelope with letter. Furthermore, SMTP genuinely doesn't care about those
fields, they are not mapped to RCPT TO:. RCPT TO: is part of the envelope, and
handed to SMTP, it does not deduct them from the fields. The mapping is these
days usually performed by the e-mail client software, which you did not consider
to be behind the scenes, apparently.
Peter.
PS: You should look for a better solution to filter/order your mails into their
proper locations if your current solution cares about order of addressees. There
is no order in those, and any order needed by a filter is IMHO a bug.
Personally, I use the Sieve language to tell my IMAP server what to do :).
if address [to, cc, bcc, resent-to] gnupg-users.org {
fileinto GnuPG-Users;
}
This is a deliberately suboptimal filter; I just use the List-ID as Remco
suggested.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs redux [was: Re: Creating a key bearing no user ID]
On 1/28/2012 7:25 AM, MFPA wrote: I also want people who already have an email address for me (or potentially a name, if not too common) to be able to use that as a search string to find my key from a server. And, as we've said several times, we run into the key enumeration problem. To achieve the two simultaneously would need some string in the UID that could be found by searching for the email address or name but could not be converted back to that search string. This does not address the key enumeration problem. MFPA, we've already spent much more time on this issue than I think is warranted. Your idea would be nice if it could happen, but it does not appear to me to be possible. There is no theoretical understanding of how to solve the problem and no implementation offered that comes anywhere near to passing my sniff test. I can't speak for anyone else, but I'm done. I will not be addressing this subject again until such time as things change. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: [META] please start To: with gnupg-users@gnupg.org, i.e.: To: gnupg-users@gnupg.org
Hi Peter (Lebbing) Depending on one's point of view, the e-mail client UI is either behind the scenes or the scene. My PoV is that everything that is necessary to display the e-mail to my vision, is behind the scenes. That includes all activity from start to end, including what the e-mail client does to extract raw text (headers/body) and make it look pretty to my eyes. The UI is the scene imho. Peter, remember please, most end users are unlikely to have your in depth appreciation of the RFC universe. OTOH, most end users can click on the (date received/From/Subject/To/et cetera) columns to easily, efficiently, and quickly rearrange their inbox in a new order. Compare for example the current Why hashed ... thread ... From To Doug Barton Robert J. Hansen Jerome Baum Doug Barton Doug Barton Jerome Baum FWIW, I'm a masochist ... my inbox has several thousand recent messages. If the above messages were scattered through my inbox, but looked like this: From To Doug Barton gnupg-users@gnupg.org Jerome Baum gnupg-users@gnupg.org Doug Barton gnupg-users@gnupg.org I could easily pull them, as well as other gnupg-users@gnupg.org, together simply by clicking on the To: column header. Gerry P.S.: FWIW, gnupg-users@gnupg.org is a list, not zig zag exchanges among individuals. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [META] please start To: with gnupg-users@gnupg.org, i.e.: To: gnupg-users@gnupg.org
On 2012-01-28 16:57, gerry lowry +1 705 250-0112 alliston ontario canada wrote: [snip a bunch of stuff about how you want us to change our emailing habits so your inbox looks better] It's your inbox. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA -- nameserver 217.79.186.148 nameserver 178.63.26.172 http://opennicproject.org/ -- No situation is so dire that panic cannot make it worse. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: [META] please start To: with gnupg-users@gnupg.org, i.e.: To: gnupg-users@gnupg.org
Jerome, nay, not so my inbox looks better, rather because it's the right thing to do for the greater good, imho. Peace, Gerry __ Gerry Lowry, Partner http://twitter.com/gerryLowry1947 Ability Business Computer Services ~~ Because it's your Business, our Experience Counts! 68 John W. Taylor Avenue Alliston Ontario Canada L9R 0E1 705.250.0112 gerry.lo...@abilitybusinesscomputerservices.com https://www.gerrylowryprogrammer.com http://abilitybusinesscomputerservices.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why hashed User IDs is not the solution to User ID enumeration (was: Re: Creating a key bearing no user ID)
On Fri, Jan 27, 2012 at 07:52:56PM -0600, John Clizbe wrote: Having keyservers support no-modify requires that they first support crypto. That's a really big step. To my knowledge, no one is working on such an initiative in SKS or any other keyserver. I'm working on an OpenPGP library which may sprout a keyserver daemon supporting this, but there's no guarantee that that will happen anytime soon, if ever. Don't hold your breath. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [META] please start To: with gnupg-users@gnupg.org, i.e.: To: gnupg-users@gnupg.org
FWIW, I'm a masochist ... my inbox has several thousand recent messages. I suggest trying procmail or similar. cat ~/.forward |/usr/local/bin/procmail cd ~/mail ; ls -1 Inbox| wc -l ; find . -type d | wc -l 117 461 Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below not above, cumulative like a play script, indent with . Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. @Yahoo.com mail rejected @berklix. Get a non yahoo address. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs redux [was: Re: Creating a key bearing no user ID]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Saturday 28 January 2012 at 1:37:17 PM, in mid:4f23fa0d.1040...@enigmail.net, John Clizbe wrote: To achieve the two goals, you only need to put each in its own UID. Just remember once they locate the matching key, they will have all the information in all the UIDs. Which is precisely what I don't want. I'm looking for a means to place searchable information in UIDs in an obscured format. The aim is that locating the matching key does not reveal any extra information - the user would know that one of the UIDs matched, but the other UIDs would remain as useless noise. - -- Best regards MFPAmailto:expires2...@rocketmail.com Dollar sign - An S that's been double crossed -BEGIN PGP SIGNATURE- iQCVAwUBTyQ4HaipC46tDG5pAQrDZgP/eV1QizzF7fwipXQxweeJF3SimiqRU47L USYXqZDfwnSJzjhGCFS43sMACZpwMILyS3806ORIKR9g6lqUrfTHH1u0mphoJrVu NBh+R2/ITnrPY8XXuvx+Vd+2/mR2r49KhGJ5qmUmJMV4AttC2hr4vThvepg6bLkS yt+4ifnNgTQ= =8KLx -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs redux [was: Re: Creating a key bearing no user ID]
MFPA wrote: On Saturday 28 January 2012 at 1:37:17 PM, John Clizbe wrote: To achieve the two goals, you only need to put each in its own UID. Just remember once they locate the matching key, they will have all the information in all the UIDs. Which is precisely what I don't want. I'm looking for a means to place searchable information in UIDs in an obscured format. The aim is that locating the matching key does not reveal any extra information - the user would know that one of the UIDs matched, but the other UIDs would remain as useless noise. Which is why I also wrote in that message: John Clizbe wrote: Sorry, but there is no way to only return a single UID matching the search term. Things were never designed that way. (So there's really no reason not to put all three in a single ID.) To repeat: OpenPGP and the keyserver network were NEVER designed to operate in the manner you wish. I doubt they ever will operate in that manner. You cannot blind a UID from other UIDs on a certificate. The day keyservers selectively return certificate information is the day the keyservers no longer are trusted. Like Rob, I'm done. There is no more to explain. Adios. Sayonara. Goodbye. I'm going back to work on getting SKS to run on Windows. -John -- John P. Clizbe Inet: John ( a ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:Just how do the residents of Haiku, Hawai'i hold conversations? A:An odd melody / island voices on the winds / surplus of vowels ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs redux [was: Re: Creating a key bearing no user ID]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 27 January 2012 at 10:49:43 AM, in mid:4f228147.7090...@digitalbrains.com, Peter Lebbing wrote: Hi MFPA, Can I ask what about the dkg--noenum-0ee5be979282d80b9f7540f1ccd2ed94d2173...@fifthhorseman.net form does not satisfy your requirement that the mailinglisten--noenum-zttgfznhu3rnkfyaxjuym...@hauke-laging.de does? Or do you not agree with the latter form either? Is the idea that email addresses in the latter form contain enough entropy to render enumeration infeasible, so they could usefully be hashed and the digest placed in a UID? If so, it is a small enough price to pay. The scheme to use the fingerprint in the email address is interesting because it neatly avoids the need for keysigning. I'm not sure what it adds towards obscuring searchable information in UIDs - does the fact that the fingerprint is known for the specific key mean it doesn't really add much entropy? Or is the point that searching on the email address doesn't find the key, you have to search for the fingerprint (and the UID doesn't contain the email address at all, not even obscured)? I'm not sure of your requirements. I thought all that was needed was a way to find a key belonging to an e-mail address without requiring the e-mail address to be in the UID. The requirement I stated (or thought I had) was that the email address (or name) could not be determined from the UID but searching a keyserver for the email address (or name) would find the key. Using the fingerprint is an interesting workaround. Would a search for dkg--noenum-0ee5be979282d80b9f7540f1ccd2ed94d2173...@fifthhorseman.net@fifthhorseman.net find the key with fingerprint 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 or would the user need to just search for 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 to get the key? - -- Best regards MFPAmailto:expires2...@rocketmail.com If it aint broke, fix it till it is broke! -BEGIN PGP SIGNATURE- iQCVAwUBTyRN3qipC46tDG5pAQqX3wP8CjWRi/YDW2Sq13tijKshbevoiwl4OQ9S 3Fv6Vct12qkntTSFGMyteJ+S5M5Usb6mOG/IMy8WmiOEWVN7zdUCcVwORkZ31yKV UtYVl+dq/FG2HCMnLxTTXCfrdR2CqEJgcUaY/71FKM5lJIv8ww7FU3vEI6MiZ4C5 zgb13cWPiwU= =X+Fd -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [META] please start To: with gnupg-users@gnupg.org, i.e.: To: gnupg-users@gnupg.org
I read my mail in plaintext (RAND MH) from the command line, so things like quoted-printable, base64, UNICODE, HTML, etc., are all a fuss and bother. My ask is thus for plaintext with line breaks, trimming the quoted material down to the relevant parts, and no top-posting. I'd also vote for the list having a reply-to header. The above applies to all mailing lists, including here. I can cope; this is just my ask. Please and thank you, --dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [META] please start To: with gnupg-users@gnupg.org, i.e.: To: gnupg-users@gnupg.org
On 01/28/2012 04:40, Remco Rijnders wrote: Or filter on the List-Id header perhaps. That one is always set when you receive mail from the mail list. Seems easier to set such a filter than to expect the world to be trained into sending email in your preferred way. +1 -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs redux [was: Re: Creating a key bearing no user ID]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/28/2012 04:25, MFPA wrote: Hi On Friday 27 January 2012 at 12:48:30 AM, in mid:4f21f45e.7060...@dougbarton.us, Doug Barton wrote: put whatever you like in the name and e-mail fields, and notify the people you communicate with Which is exactly what I do already, using a key with MFPA a@b.c as its sole User ID. Right. There is no software modification needed to accomplish what you want to do. I also want people who already have an email address for me (or potentially a name, if not too common) to be able to use that as a search string to find my key from a server. Assuming that you have to pass your s0uP3r Se3kr!7 e-mail address OOB anyway, just pass them the fingerprint at the same time. - -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJPJIadAAoJEFzGhvEaGryEK0YIAKJ28yVR94Od2wsbrvUR5She Xr2x3DrQ5GdA5otawKJ+1mWMtOSW1B1zzkfLq9l+L5oNEL3nCQ6geN61urhmDgx8 bmNdWbxE2VRHx/5kIOJKd4qWTWUwQAQOyGPjfZURxY5vgM2x6S5pAw3Yo7tmz+1n mOxKpY7tUZO36ICxfdIddWD7u5kLRXPH5dg70iuxI5YnZ72OfofHJdo55cvUKCEY QJDmarzKLqGLDFXyaPnonj1QccYzgjLpsISDvHz6G2kahIzJNf6B/8jKIkkry6PF svj+aDe7/fXplkHWYsfWYOgTfwNy5/oxlf8e7GLHD37R5EQak1q3c+86hgsgMW8= =LXvM -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [META] please start To: with gnupg-users@gnupg.org, i.e.: To: gnupg-users@gnupg.org
On Sat, 28 Jan 2012 12:22:56 -0500 gerry lowry +1 705 250-0112 alliston ontario canada gerry.lo...@abilitybusinesscomputerservices.com wrote: Jerome, nay, not so my inbox looks better, rather because it's the right thing to do for the greater good, imho. It isn't for the greater good if the onus to please the few (or the one) is placed on the many. An example of doing the right thing for the greater good would be for you to use a standard sig delimiter (newline dash dash space newline). -- Mike glad to be of service Yetto signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
