The solution to this problem is simple.  We want to be able to look
up keys on the key servers by email address or user name or keyid.
But we don't want the system to be useful for spam harvesting.

Simply require that lookups be by valid email address or user name.
Eliminate the wildcard searching.  Then spammers won't be able to find
email addresses in a very efficient or useful way.

Now, it may be argued that this is too strict, that we do need some
wildcard searches because of slight variations in spelling of email
addresses and names.  Fine, we can allow this without allowing full
wildcarding.  Supporting a "loose search" mode where some letters are
different or some email hostname components vary will solve the problem
without letting spammers snarf the whole keyring.

Keep in mind, first, that there are many other sources of email
addresses on the net, and second, that many (or most!) of the keys on
the keyservers use obsolete email addresses.  Key servers are not a fat
target for spammers.  But the trivial measures above would go a long
way towards eliminating the problem.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to