Re: [Sks-devel] Dump

[Robert J. Hansen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/13/2010 9:36 PM, R P Herrold wrote:
> just becaiuse something CAN be done does not mean it should be done,
> and here particularly with a fine cache of email addresses intact
> for spammers to target (rather than having to pull them one-off)

Two things:

1.  Shielding email addresses is just bad strategy.  If your anti-spam
measure is built on keeping your email address secret, then once your
email address gets out (and they all do, eventually!) your plan falls
apart.  It is wiser to assume the spammers already have your email
address and rely on anti-spam measures that are robust even then.

Kerckhoff's Principle, paraphrased: "the adversary knows the system."
In crypto we build systems and assume the bad guys have perfect
knowledge about how the system works, about everything involved in the
system except the secret key.  Kerckhoff's works well for crypto.  It
also works well for anti-spam measures: assume the spammer already knows
about you.

2.  People who upload their certificates to the server have already made
a conscious decision to publish their certificates far and wide.
They've voluntarily entered their email addresses into a worldwide
searchable database where anyone, /anyone/, can get a copy of it.
Keeping the keydump away from Google is not going to make life any
harder for the spammers.  There's already strong evidence suggesting
spammers are already harvesting the keydump anyway.

> I think you are running around solving a problem that does not
> exist,

No comment on this.

> and [impairing] the privacy of a whole community's members

This is nonsense.
-----BEGIN PGP SIGNATURE-----

iFYEAREIAAYFAky2bIEACgkQI4Br5da5jhA1ogDcDBvf18YA8MI7s6FP177iAdrZ
k9cwBWaOfnrwJADeNtlEe7ixQYM/KcoRPh9VhfD3md5JtO1Zdvma/A==
=JOLy
-----END PGP SIGNATURE-----

smime.p7s
Description: S/MIME Cryptographic Signature