hashed user IDs [was: Re: Security of the gpg private keyring?]

MFPA expires2011 at ymail.com
Wed Mar 2 02:05:10 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Tuesday 1 March 2011 at 1:54:25 AM, in
<mid:4D6C51D1.6030908 at fifthhorseman.net>, Daniel Kahn Gillmor wrote:


> However, i'm quite serious about the flaws paralleling
> the failures of NSEC3 to prevent DNS zone enumeration.
> the problem space is slightly different, but i think
> the math comes out about the same in terms of the cost
> of trying to brute force these things.

> Ultimately, i think Hashed User IDs provide only weak
> benefit against the equivalent of zone enumeration
> through the keyservers (which is presumably the goal),
> so understanding these arguments and providing a
> convincing refutation of them (or outlining an entirely
> different benefit) is probably the first task someone
> would need to take on.

My analogy, admittedly not a direct comparison, would be having a
phone number that is ex-directory. It is no defence against random
dialling, nor against your number being recorded from outgoing calls
if you don't take steps such as withholding the CLI, nor against
somebody who has your number passing it on without your permission.
Despite these failings there is still benefit in being ex-directory.



> Having a hashed User ID alongside your non-hashed User
> ID provides no benefit at all

Those of us who use different email addresses with different contacts
(and/or periodically change email addresses) might generate a hashed
user ID for each email address, maybe with a non-hashed user-id for
our name. Similarly with role-based user IDs, a user might have their
name in a non-hashed UID but use hashed UIDs for their roles.


- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

Is it possible to be a closet claustrophobic?
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJNbZfYnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pw4wD/1R0
qopVlkQLWTmidAyoAZeFOqgVmGTh40Ppu2nN49qq19+VZUFllAf/QcZw8+x3sWjh
TRdvLlMbvHRCtw6pqbWayW4aRN3NnMpWtUZnqnyEaErtGic8XgrD9O963dIcMvHd
kmNIf28PN774kNydUgF1hKyhBq6m/JAJ4BbCdQKV
=l3Bc
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list