Hi Vedaal-- i'm confused by your proposal. some clarifying questions follow:
On 01/25/2012 04:31 PM, [email protected] wrote: > [1] The person who wants to create a new key, first generates a > symmetrically encrypted gnupg message, and decrypts it and gets the > session key. This seems like it might just be an elaborate way to ask for a random number, but i'm not sure what the intent is. Is it just trying to get a decent-sized chunk of randomness? or is there another purpose? if it's just about randomness, rephrasing more simply might make this clearer. > [2] Hash the [(preferred key name)+(seesion key)+(e-mail address)] What is the "preferred key name" ? are you expecting users to name their keys? > [3] Generate the key with the uid of > [(preferred key name)+(session key)+(e-mail address)] What happened to the hash here? are you suggesting that the User ID is the digested form or the non-digested form? > [4] Identify the key to the server by the hash. OpenPGP certificates are handed to the keyserver as is; the keyserver chooses how to index them. What do you mean by "identify the key to the server by the hash" ? > These steps would defeat harvesting tools enumerating the low > entropy names and hash ranges. I'm still not sure i follow. Can you explain more? How would these keys be identified by a user searching for them? How would third parties verify the user ID before signing? > Personally, I agree with David Shaw, that the problem can be > avoided by just generating a random UID (maybe a truncated session > key) and giving the fingerprint and UID to anyone who wants to look > it up on the keyserver, as well as the e-mail address separately to > whomever the user wants to correspond with.) how does your proposal above compare to David Shaw's (seemingly simpler) proposal, or to the proposal i outlined elsewhere in this thread? --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
