Information disclosure: Sensitive information (user+fqdn hostname) leaked on client public key information

[Skywing]

It seems that the silc client seems to like to put out fqdn hostname+unix login information for the user/machine that generates the silc client keypair.  This information is freely available to anyone via /getkey <uniquename> (at least using the official client).

I didn't see this mentioned anywhere in the process of making a keypair, and I'd consider giving address + login out to everyone on the network bad, especially as that kind of defeats the point of hostmasking (for machines that are configured with a valid, full hostname and which have not had a keypair copied from a different machine).

(The user's unix realname is also captured in the public key information when the keypair is generated and made available, regardless of what realname information is configured in the silc client config file.)

At the very least, I think that this is something that really ought to be prominently described when making a new keypair.  Personally, I think that this information really shouldn't be reported with the keypair at all, but it seems like that's probably already stuck as part of the protocol at this point.

I'd imagine that a number of people would be likely less than thrilled to know that they're giving away the full hostname + their account login names to everyone on any silcnet they connect to (if the machine that generated the client's keypair was configured with a correct full hostname), even if the silcnet advertises itself as doing hostmasking.

(BTW, if any corrections are made to this behavior, I would request that they *not* involve breaking compatibility with the old keyfile format, such that if a decision is made to strip this information from keypairs, the client would simply ignore any pre-existing information in client keyfiles.  Having to regenerate a keypair is not necessarily acceptable for persons that have been publishing their key fingerprints.)

- S