At Tue, 03 Nov 2015 09:30:48 -0500,
Derek Atkins wrote:
"Neal H. Walfield" <neal(_at_)walfield(_dot_)org> writes:
At the IETF 94 OpenPGP WG session, Bryan, if I recall correctly,
suggested that we should try and hide more meta-data. For instance,
instead of listing the recipients, someone decrypting a message would
try each of their available secret keys in turn. Werner pointed out
that these probes are a pain for people who use a passphrase protected
key and I mentioned that it is a pain for people who use a smartcard,
in paritcular, those who use more than one smartcard.
What about using a bloom filter for encoding the recipients? This, of
course, doesn't eliminate the meta-data leak and it can lead to false
positives (= gratuitious passphrase prompts / smartcard prompts), but
it should reduce the metadata leak a fair amount, I think. Thoughts?
There was an extension at one point where you use the string 0x00...00
for the keyID and that forced you to test all your secret keys. There
are certainly times where that is warranted; there are other times where
it is not.
I wasn't at the meeting (in person or virtually) so I'm not sure I
completely understand what the use-case is where the above solution
doesn't work?
Bryan Ford proposed getting rid of all unencrypted meta-data. In
particular, he wanted to get rid of the recipients / number of
recipients.
There are some practical difficulties with this approach,
which I mentioned above.
My proposal is a blue sky idea to avoid having to try to decrypt a
message with every secret key while (hopefully) making it more
difficult to get at the list of recipients.
Neal
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp