libravatar-fans team mailing list archive

Thread
Date

Re: Discussion: API keys - follow up from IRC

To: libravatar-fans@xxxxxxxxxxxxxxxxxxx
From: Tristan Le Guern <tleguern@xxxxxxxxxxx>
Date: Tue, 12 Mar 2019 14:03:30 +0000
Autocrypt: addr=tleguern@xxxxxxxxxxx; keydata= mQINBFM6juABEACnhw/sVzuGMZO4g70Skm3Us3u4TSbb1ZZI+qVjSYz+fKQe9DNuEIxP8c4r W0oNNknJpjvqWjwaX6O/yt+wlUGhfjhxyBLrOCjPwkwsMJw6qRUmqx3E/IDY9+bMj3rL6tnv 5j39AQXlsUSauKTguanZLBj9fk+SjwmJaHiM91IphVXDpLW9+NSzQPUPNQGIlAJvYy3GXMDO 3obWIUdm1RqTkmqahO3eFKRO5K6ssA+yIWTW9BeK2ev4gBQfaVzFsaa5bgVMUjgKoHgOndf5 gRSTwqLLlHFusPFM5AErd3t3gbE+9XAZ4Nqhpu8HpI32jRfNRNWFbzceCLvcW7/7DXHZT2A0 4pqv5bkslBtvVCcNnFca+95d9TNu0mUVamJ3frVa5ZduiNu60ZK3vbw+nbxIdlM2OsZpF5xT rtKt2R8Ac9Xb3X/lvNmLEVehAFGfvriCiQxRth9cDPSbSgejXzNleFUyGAkqkZ0jx9oQHgUR dI+Dx+r1m4ju07nsntCK0JohhST5MjIVLq7ExWh23du6a25qBejaN9IiWKjdg9L/maPR36Jf Q61E8+9aNCQZJbB/zdFUXHqS+Cw06hMeWBfF3s0XQz0dl6hZ1PIiqD6XsoKAjmrNY5+/YRUv Am+SZQLd8Fqa01xhlWP7r3w28Cy/0K5rglqhiJKABF4QClTvmwARAQABtDJUcmlzdGFuIExl IEd1ZXJuIChNYWluIGtleSkgPHRsZWd1ZXJuQGJvdWxlZGVmLmV1PokCNgQTAQgAIAUCUzqO 4AIbAwQLCQgHBRUKCQgLBRYCAwEAAh4BAheAAAoJEDI40Wpfc/oyi38P/3VH4vGDY8ucEQ8C fQThgEzHNhn4bS6/h3EEjXVjA5rAhkYDn0+bSFO50VojxyPxOO1qwMwsmWY2Gnl6EGwrBVHQ eERcpqssQbrFhTKBsslthOG7rpSrR1oAhxF4Wki5NfYWjeqFbZLPaU5LMLIJPel4R14bu33r MERCN5J0VXVP7z/Ylo/FB/p+2/D0/H5c3H8MvWbFOz5Fz7oKxHyd9flVMSWJIxJrGSPbiR0B PyT38XgCeqvL8jxOU/AxauDTNSd6bIlay1qH4KV6tn5L4Ug1Z4SahJZkKSznyZMdvYMH5WtX tzsu1WAQUDzEWd5mwAacn+uGip0DmqVeTDGCwcGI9N8F9wduFjRBfUvgrUUYma+XhClhaVwC fFuu1CMoozjMlw8OxCiDt0KMNg1LyH23QN3F/xjXklB9w3nR5r4zEaTnQ8vHJE6iFKNnrzGQ KdflcbhVLxvfNHirSy426lzvHcNPy3QNdvx0Xh1MSe5Mkw9+tmD37hRLbjt91YZDhjtu54qS 0tcp9JvlqKtp2AvhWuvtOlqN28Tv6wjg2jL8UlYpnw6/ykk8n1Wa28cHrjbrYcDJ38lQlvvh CP/BYopnjLpFGTb3eFoLayMrnPeiCIQPcoz0Wv9XSaqF5Pi5QX1WwPQEd4Erd+1nP2pdBz+D x+rvJjq61TCyqB5LDThTuQINBFM6juABEADgkD/p/7TATiese5m9SLKVyw2tKWFJX2AqPOUv qBO7wpZHHzKg2Xly4DV/A5Bo8JFdNqIigGtH3ex1K8iZPzxGWLBxfMMG3m2AVe54gWwR3a3y TM+MRasktDmDqvk8rEOEXqm0J8FLjMydJu0LI/ISxGLU6X1cRTLEbSWkcxl5zZ4mejV2SUtA oMJjKtZqjxH46vE/Buvjb3Aier8uCc1kp4uebJVF9WHFUwIDtjlEFbs1cIbTra0rrMa42P/e gmCBJL1y45TVuhZW7mUGgQt2+RiRktwcMdaOAyNoav0ybtjjmFKB7Mu37vdgwX/YEfJebSuh BX7TSJDj2W5qrXW0CzpKjv7A/lkKmJaYoKxdzpcFTynHAEKmGxQ/fbN/y2BfXk2hSGizHYxK OWkikKAQl60fe3uqL45JKqxN9wmXHlzzSr+GDvDwjXW3gnH9LiP1F/VDlnin/mgjC1MuCXS+ hsdG7D9SrxBUzPZ8zSY/JB9X3kSOABGlywAWqGSnW0zefBd0cvAMU4J048/k3vlWWxSvvRPU DbgSr0QHuXbXjT4drPyFPtrCU8u0nUZggAQJCbIQTg3cgFLCifvcIm0O8T8ROIaHcl31FWBe gq6nyFZ3/aql/hsACM6UFIXXjik2rrqvtJB2ZFmbnaNa/mqILMoj7nEdTpSzQVr8vVwGJQAR AQABiQIfBBgBCAAJBQJTOo7gAhsMAAoJEDI40Wpfc/oy5OgP/27mipK34GEZiZg9yi11KT0n O68U+SI9k0oDi/2DdHLmeaB/vGuW2UMENRS/D7sxrzepvm9mvkQkgH0hFwuhfbBmoKwgSKLt ds40DexLArq0VPkNJlcFnFbW3zHALUe7x5b9RJ/I+SHmVtWdr97rqhld7bwW6DLcktSMI+k/ Bgf3cHf8Rfu6w6vN7IgxFs4renlYI4WzuHGuKrrridQeoUezI37kYJqoqys+hHJcPpPwSrOA QSITJWrRMl9aGJ9WJ2vFl4HBjmiDVwIpaY3B3XzlEUBMQD82AvhCJVeCpmTiWsgdF2VyspEE EntTIb6TVYqBxP9dxmJtKPBco3NNg4LVLDXUv4GrjMpAkYE5EP+x7lsMbtt7GJhBYkKT8wBS g0jGHFKiML6CyMGtBIMzdwp3YuwCumj0NHw+1hgmOVoQA2rQiUxEQ2OLl7Q3qtQDS0yYzdSN B7p8bdwKYETG0ifSkPsV/48aMRw99VSE0PIPKUF+RMDQ7nSlQZLr1veNZbe1TW9EszKcS1Gl h4XZG/82vyNrefaBj8QdOBkB+90fjXTnffU0J4VmJFjHN3xP2x6XRxXu+EMt+HDdKjExhMEu 8n0z2DXULtKuLlzNeb5gMLOZBDYuX/Y3pv+mj45crurIC31ktwnjamAjbjIxnDXqkTG6eKJk kmH24qLgqb0kuQINBFx+YzMBEAC3OAw6QlaokYFUy4N01+Z6/LBgyqOoA8jcmAk4ruAMVafR hFuoaCs/e7JDTgGjP9k1gGgZo7TaxT6G3ZcKdPETFHA9htRomknxZvQv06Agg1fqC/Kg3Fsm kKOCJGIf06Len8luKYqIcJGEMYjzm5WeYthObQVSyGEKUdfgm6G7vbnZGsId1D6NT8Z+IPPR Veu+wLTTRvVphINk1U9N3hhn9ZeFTCJxNZVAnUs5HnZCAjCKHOHKEfmUR4Q+shZQMh6qsanu ZDhfZAItbT13fpfkMmsVbMROjEUSBbd87kEsgYS1PIyQ8P1zQ3kojBMOkri5AF4cZ2NfmVNY Idks+nGl5WFyeo2hRlxoWTmPT+heVFU1yRmyFGT5qjPlg4133Pk57LzGPEC8WQHMYDX8Ycj6 HLmtj7c1e0JZPS0AnU5h6OWJRpZa+Xuyghrhsa8XdtcreGF9GBZlFgUhVfrE+yXex8jWMa+5 IJkPfJUeKC1D3t3pgK+J2VRtdXXQGcpsn58W20rJs/9iC9ak4GYZpCAbqlrbTABtCztr3UCe o1sqmwbBgmorZ0qmWmK/yODwDs0FGROHpZi0iSt5ndLHY+Eaclfi4fU0Mq9hFrMganGy0gbX XyD0rmAZe1V0IchXEdJyGq8pS0bD2QTQ+HuyR8QuK+Awjv7yI3xWYBzqFurdSQARAQABiQRE BBgBCAAPBQJcfmMzAhsCBQkB4TOAAikJEDI40Wpfc/oywV0gBBkBCAAGBQJcfmMzAAoJEN6X P3ivSpwQNJIP/RCI5cI9NpI16qkpRe+K/z2/Sf5RSgW5ycx1bChTC2aK8gqEn6qQsDKW0G0Y wtcoV3M+lvRaZ2EeLYqHLCEdvIAhjqpmESlBeN+pIpJPVxABBeX5noIurg8SwUXANCOaOH1U X7D9p6gAy05VQ95W+Ma2N7l5mTdc9JJlAW1ELWH9o5czzrqCCtDGkITq0AJxr0ZEp6ivfUWO bgcJh0fVHYDD0qVht5cQto7NherHJFSp1YCGqSkfKO1SOquG4nyNZifox+Kl4/SUrzP7CaED hQFRKs3z1FwT8qXJwJJM3l1Anpoh6sbqjYls2Q474CF3Cm9UMKGplfJA3Vul+LvqMiBoSmET rXaC6cIDHvlfytlzfEatMTMAUMGSgkwag0OQu6SDPnjcOf+mME6QLhykqub6bCSfQjmDPZDO ab2Z3GZAi/1BGAWVO88OfmuTVi2b/had6aPBVZb40kqrTi1PeXfkO3opv4kQk0Cew+bfOmiz x5+oOHNfT4ri9+ZYtKx3XUWQU+3EhW+6YTvGBzqmTiqC9L6sPSnJZ4JLTIHBA0l2etIaTO3Q df5PoRl6izfFWY0GQZQ76GayuIl2stlTi+AE3kfTImi72KNfibOq0sjhae9WZN52WISIyjYG MFayJWG/l8WUbja3kXCNSreoCQlKmDbgY0yEMV8eeDJvJW/kZs8P/juSxIxPEINRp2nqzaIE yCY2k54t+BjkkRtrINqYzZ05vhRmqDhw9H+KjK0/+jhaPzBOYzvRjcsfT2O8jIMLGRv2/RnZ nvr9N6VojDPXsVjuzCoTkqv5cmpmneHlp0rVBDijFdZhWOBwu69Z475u68omBpKklcqPhLeS riIwXfSSunRBecIKinFz1owxPp1Ztf/TmlmccDuKOegSd9o1gYuDHJA147mwjy+xgjQ08P69 xcvrWhdzwxd3+2mAQ7H0a3mr1NiZBlmFQkETSDTM7Y4mlpmcTjfKH88u3FaXcCFAR2BPJLz6 +UCUF6t7fP7J2ayhyK8aEIFEDzaVchawvTxURIzA+YgddQNz9AOe4YhwtSEHkCkGPIpqpvPv xrFl427ewfwbBjo3wqeAaj1l5Nkwc8s/8GgFo8TvvqSK9wgw8fVTPaasRZWuO+BT4TianfoZ fuccpQaEKdv6X6Bz0RYt0IkQIVhKcezdLOOOKX1/SMrGElfv/CpRnP05MwA+FoZhokuu02RL +tgEN6CoEdJ04EWVzbP/76460IrafxcoaEgF46uKIDThoueaOYv3jdh15uf8eV0kxzmYQKW7 p5O7fykg6Jb1pD5k/lZptMHaz3yuawUo6PaB2W6hEYr0JxR0UYsz1d/anHPlffGuc0ZR+Fte b2kl7uaTeN6MsdvP
In-reply-to: <CAGqZTUtyQdO0cmjt6ky-GnFe3vPBNS6DdTBrw3YDrDCPMSpC+A@mail.gmail.com>
Openpgp: id=6CF9F879B361B3D1BCCBFD4E3238D16A5F73FA32
User-agent: Mozilla/5.0 (X11; OpenBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.5.2

On 3/12/19 12:59 PM, clime wrote:
> I am missing the point encrypting the hash. I could understand it for
> md5, which is crackable nowdays but not quite for sha256. That hash
> should be non-reversible in practical terms and then we can always just
> jump to sha512 in a few years when hardware is stronger

SHA256 is still susceptible to rainbow tables attack so in theory a
dedicated spammer could still harvest libravatar users' hashes for his
nefarious purpose and use them to validate email addresses. This issue
has been raised since Gravatar's birth.

Oliver proposes a mechanism to solve this issue but with a clear
drawback: in it's current form it breaks federation.

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: Discussion: API keys - follow up from IRC
From: Oliver Falk, 2019-03-12

References

Discussion: API keys - follow up from IRC
From: Oliver Falk, 2019-03-11
Re: Discussion: API keys - follow up from IRC
From: clime, 2019-03-12
Re: Discussion: API keys - follow up from IRC
From: Oliver Falk, 2019-03-12
Re: Discussion: API keys - follow up from IRC
From: clime, 2019-03-12