hashed user IDs [was: Re: Security of the gpg private keyring?]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Mar 10 21:44:00 CET 2011
On 03/10/2011 03:09 PM, Hauke Laging wrote:
> You have validated my key (among others) and I (among others) have validated
> Ben's. Now you want to validate Ben's key indirectly. Ben's key has ten
> signatures, the one by my key is the only one usable for you. The next person
> who tries to validate find another signature useful. It's perfectly OK for me
> that you can see that I have signed Ben's key but why should others know that?
> Why should you be able to find out who are the other ones who have made
> signatures for Ben's key?
>
> I would make a local signature if I would not want to let anyone know that I
> have verified the key. But in that case you could not verify Ben's key what I
> am willing to enable. The motto is: Don't reveal more than necessary. You have
> to reveal something in order to make the whole thing work but you don't have
> to reveal all.
How does hashed user IDs address this particular question? You don't
need to care about the User IDs on keys if you just want to map
relationships.
If i'm mapping relationships, and i decide from that mapping that a
particular keyholder is "interesting", *then* the hashed User IDs might
become a minor stumbling block in my figuring out who the keyholder is
in the "real world".
But the point of User IDs is to bind human-intelligible (and therefore
likely low-entropy) "real world" information to keys. So if i have
reasonable computer resources at my disposal, reversing the digest of
low-entropy material seems like a possibility.
If you want to keep the fact that one keyholder has verified another
keyholder's identity secret, you cannot solve that by obscuring the User
IDs.
The right way to solve that is with non-exportable OpenPGP
certifications, which must be passed between users explicitly.
For example:
"Hi Bob, I'm Alice. Charles vouches for my identity as you can see from
this non-exportable cert."
In this example, Charles does not want the world to know that he has
certified Alice's key. But he's willing to let Alice decide who knows
this information, so he gives her a copy of his non-exportable cert.
After Alice has introduced herself to Bob this way, both B and A know
about the C->A certification, but the rest of the world is still at a
loss. either B or A could share this certificate with anyone else, of
course. It's out of C's hands as soon as he gave a copy of the
non-exportable cert to A.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110310/c880f61a/attachment.pgp>
More information about the Gnupg-users
mailing list