[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Nom de guerre public key



-----BEGIN PGP SIGNED MESSAGE-----

From: Louis Cypher

>> A signature on your PGP public key is a personal guarantee from the
>> person who signed it that she has first-hand knowledge that the key's
>> userid accurately names the person who physically possesses the key
>> (i.e., the signature validates the binding between userid and person).
>> But you do not have a binding between your userid and your person,
>> because your userid is a pseudonym, and a pseudonym is a name not
>> bound to a person.
>
>Actually, this is not true.  A signature on a key is a personal
>guarantee from the signer that binds the user-id to the _KEY_, not
>necessarily a person.  The problem is validating that key<->userID
>binding in a pseuodnymous case.  For example, in the case of a real
>person, you can send me a message to "[email protected]" and later meet
>me in person, and I can verify that I received the message by
>responding in some appropriate manner.
>
>But you cannot perform this check for a pseudonymous identity, because
>there is no secure way to prove that that key really belongs to some
>identity.
>
>Just for an example, I am fairly certian that there is a single
>identity behind Pr0duct Cypher (speaking of PC -- I heard from you in
>a while), but it is difficult to securely obtain assurance of the
>binding behind the key and the keyid.
>

With a pseudonym, all a signature really says is that this is the key that
always goes with the posts signed by this nym.  Assuming there has not been
more than one key claiming to be the "real" nym, then after a while there
can be no doubt that the key and nym go together (which is all that was to
be proved). Personally, I sign nyms that have existed consistently for some
time. I have never distributed any of these signed keys, but see no harm in
doing so as long as the key's user-id field clearly indicates that the key
is a nym and not a person. A sig on a key by a notable like Tim May would
help keep new users from getting taken in my some interloper claiming to be
Pr0duct Cypher.

>> Unless you reveal your pseudonym to someone and identify yourself
>> according to the rules of the PGP Web of Trust, you should not be able
>> to get signatures on your PGP public key.
>
>Well, this isn't the case.  It is possible to set up a server that
>compares userID to mailID in some secure manner.  For example, there
>were some way to get a secure mail from a user to a server, and the
>server could verify the mail address, and then validate the mail
>address to pgp keyID.
>
>-derek

If I am trying to maintain a truly anonymous pseudonym, I am hardly likely
to allow to connect my key with an email address. All a sig on a
pseudonym's key means, is that is the key which signs posts from that nym,
not such a hard thing to demonstrate with enough empirical evidence.

                -Louis Cypher

P.S. I can be reached privately by leaving a message in
alt.anonymous.messages with my name in the subject line.


-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBLo9uWKyHUAO76TvRAQFVpwP+PJ9Ratos4OirW5VvO+r8ZdYig4e4JsR1
T2UGzFsyCLJnG+IyPc3d2xh3ipyM4Ifaw9pcp4xNJuimzaWyU+MfAzCr4IF6CLB2
R8+s/HW8kH5uiXdV+NCv95OL7zBI4p9GiWBiphsfcEkKkhI1CiHXhcoDR6CIIfdO
MVe2HEASEng=
=Dfb5
-----END PGP SIGNATURE-----