hashed user IDs [was: Re: Security of the gpg private keyring?]

MFPA expires2011 at ymail.com
Sat Mar 12 19:05:28 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Friday 11 March 2011 at 1:54:57 PM, in
<mid:4D7A29B1.4010706 at sixdemonbag.org>, Robert J. Hansen wrote:


> It is useful to quite a lot of people.  Look at how
> many people map out webs of trust for entirely innocent
> purposes.  In fact, mapping out webs of trust is
> necessary for the WoT idea to even work.  "Well, I've
> signed Frank's key and I see that Frank's signed
> Gianna's key, and I trust Frank so..."

The WoT can be mapped with or without names. In your example, how is
your trust enhanced by knowing Gianna's name? "I signed Frank's key
and I see that Frank's signed a key that has user ID
'7b7581fe6670a6a4a29b2fd46eaf5ac34a6a86d134fe8931729e66970b707349
<466ffe71badce782db1808ee80bd01dabf0d95e4a3b8ccbbe5fcdc68b86c2bb9>',
and I trust Frank so..."

How does the WoT idea require me to know the names or email addresses
associated with the keys in the trust path? The text strings in User
IDs do not feature in the trust calculation.



>> It's perfectly OK for me that you can see that I have
>> signed Ben's key but why should others know that?

> Because this is not an ORCON system.  The system is
> built around public certifications and private
> certifications.  You're talking about introducing an
> entirely new method, something which seems basically
> like an ORCON certification: "I'll make the
> certification, but I get to control who gets to learn
> about the certification."

That one sentence quoted in isolation from Hauke could be construed in
that way. But take into account the context and it becomes clear that
he was saying no such thing. A certification made by a key that had
hashed user IDs would be just as visible as any other certification.
What would not be visible (at least to people who didn't already know
it) is the identity and email address of the certifying key's owner.


- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

A nod is as good as a wink to a blind bat!
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJNe7X4nhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pGoQD/jR0
q47WKypv3KVj2prv09mYxLKbYakIPSR4wF57LoEMOg0J3WpD6ceGURsWJX8lovDv
ii4VHB3jcGWgupYa0EzsOYGxZviHVWi+TNgblNHEcsUH4+ucIHqoh6nRoyWrOUGD
2C/ojDYkipYM+ISTWq9cSgHv+hiV1EgY8HlOPKf2
=aYPX
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list