Exposing email addresses on key servers
Jesse Cheung
jesse200808+gpg-users at gmail.com
Sun Jun 28 07:20:07 CEST 2009
Gracias Faramir y Allen!
On Sun, Jun 28, 2009 at 11:09 AM, Faramir<faramir.cl at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Jesse Cheung escribió:
>> Dear all,
>> I learned that public keyservers are a good way for key exchanges.
>> But I am still a little concerned: after all, the UID's contain my
>> email addresses so by sending my keys up I am exposing my email
>> address to everybody. I'm not sure if there are spammers out there
>> doing all these key queries looping over every key-id, but it sounds
>> technically possible doesn't it (unless the key-id's are statistically
>> _very very_ sparse)?
>
> Indeed, there are some spammers gathering email addresses from
> keyservers, but it seems (from previous discussions about that in the
> list) it is not notorious among all the other spam sources...
I am very new here, so would anybody kindly give me a reference where
this previous discussions happened?
>
> You can also use a freeform UID, which contains name and comment, but
> leave the email field empty.
Yeah I found it a good idea! BTW it seems the file format doesn't
really stop us from putting invalid email address in the UID, so is
there a switch in gpg/gpg2 command line that skips email address
format checking altogether? My intension is to put obscured email
addresses, like rot13(xxx) or reversed(at-dot(email)) kind of stuff in
that field. Seahorse can do that, but only when generating keys, not
adding new UIDs
Cheers,
Jesse
More information about the Gnupg-users
mailing list