Why hashed User IDs is not the solution to User ID enumeration
Robert J. Hansen
rjh at sixdemonbag.org
Sat Jan 28 06:14:49 CET 2012
On 1/27/2012 8:52 PM, John Clizbe wrote:
> Having keyservers support no-modify requires that they first support crypto.
> That's a really big step.
(John undoubtedly knows this, but I suspect a lot of people didn't catch
the implications -- so let me elaborate.)
SKS is a surprisingly lightweight thing: it requires very little in the
way of CPU usage, even when making large updates. (My keyserver is
currently running with a load of 0.06.)
As soon as keyservers have to do bignum arithmetic on certificates,
you're going to see a lot higher CPU loads. This doesn't mean "we
should never ever do it," but it does mean before doing such a thing
there would have to be broad consensus from the keyserver community to
do it.
It isn't just that no one's written the code: it's there's no community
consensus to deploy such code, even if it were written. It would be a
pretty major flag day. After all, if one keyserver enforces it and
others don't, then that's going to create a pretty obvious syncing problem.
It is, as he said, "a really big step."
More information about the Gnupg-users
mailing list