-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Saturday 12 March 2011 at 11:06:14 PM, in <mid:4d7bfc66.3040...@sixdemonbag.org>, Robert J. Hansen wrote: > If nobody's looking for people's email addresses, then > there's no need to not publish email addresses. That assumes that there is no need to obscure a piece of information unless it is known that somebody is actively looking for the information. In my world you obscure certain information simply because it is nobody else's business. Just like you move stuff to the drawer or filing cupboard because there is an offchance that somebody walking through the office might read it if left on the desk, not because you think they are specifically looking for it. > And if > there's a need to not publish email addresses, that's > because somebody's looking for them. That suggests that all information should be published unless it can be demonstrated there is a compelling reason to not publish. Whilst this is true for some categories of information, it is not universally true for all information. Much information relating to corporations or individuals would not be published unless there were a compelling reason to publish. My email addresses are personal contact information relating to me as an individual. I know of no reason to publish any of my email addresses to anybody other than those with whom I use that email address to communicate; they are quite simply nobody else's business. In the absence of a reason to publish, there is no requirement for a reason to not publish. > It is not good enough right now to prevent an even > moderately skilled attacker from recovering email > addresses. Just like a moderately skilled attacker could look in the desk drawer or filing cabinet, or could open the envelope that obscures a bank statement or telephone bill. Those schemes are good enough for the minimal level of protection they seek to provide. > This scheme offers the illusion of security instead of > actual security: It offers no such thing. In order to be an illusion it would need to be fooling somebody. The scheme was never claimed to offer security against any form of attack more severe than casual snooping, and never could because anybody could add signatures to the key that stated the unhashed version of any of the hashed strings. The scenario of a spammer brute-forcing and then spamming was interesting, if a little esoteric. Usually, spamming subsides after a few weeks and (aside from a certain amount of irritation and wasted time) is of little consequence. If the spammer published a list enumerating the email accounts that went with the particular key ID then it might be a significant attack against this scheme. Even then, it would have little relevance unless the list (or maybe a link to it) were in a signature appended to the key. > and I feel selling people an illusion > is a deeply corrupt act. Insurance companies, amongst others, earn billions by doing just that. But this scheme is no illusion; I am aware of no pretence that it offers anything it does not. > I mean, really, is that what you want to sell? Or > should this be taken as a, "the idea of blinded UIDs is > a good one, but this idea is inadequate and should be > taken back to the drawing board"? It depends on the reason for wishing to use blinded UIDs. You have demonstrated limitations to this idea; I still believe it to be adequate for my purposes. More thought is needed, followed by further discussion at some point. - -- Best regards MFPA mailto:expires2...@ymail.com Wise men learn many things from their enemies. -----BEGIN PGP SIGNATURE----- iQE7BAEBCgClBQJNfLqUnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pJlgD/1yR ITx5g87K8gc7EXsMD+fI+r/avMP9ih8iHfJL7ih4Ibyk3sl3lCP7eIeZ1TC4ZET5 Q3uP/mWX+y/XwwAy2uB3c5otBr3ariVbjK1G3dKnVGeL2fh6oQoGXEgmfp+MOih/ G+V5k/OMNC6UIaOU6uZcI6+1BRV8edTGvAm0ERDx =KnPv -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
