[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Nom de guerre public key



-----BEGIN PGP SIGNED MESSAGE-----

[email protected] (Timothy C. May) writes:

> Fran Litterio wrote:

> > Unless you reveal your pseudonym to someone and identify yourself
> > according to the rules of the PGP Web of Trust, you should not be able
> > to get signatures on your PGP public key.
> 
> What are the "rules of the PGP Web of Trust"?

They are pretty simple.  Don't sign someone's PGP key unless you have
firsthand knowledge that it is their key.  Implicit in this knowledge
is the knowledge that they are accurately named by the userid on the
key.  This requires either that you have a significant personal
relationship with the key owner (i.e., long-time friend, lover, etc.)
or that you have seen a significant form of photo-id (i.e., their
passport).  You must also obtain the key fingerprint via a relatively
tamperproof channel (i.e., phone call (if you recognize their voice)
or personal meeting).

> Tying public keys to physical persons is _one_ approach, but not the
> only one.

Yes, we might one day live in a world where every human interaction
takes place between pseudonyous entities that represent one or more
real people.  In such a world, there is no place for PGP's Web of
Trust.  Reputations will have to suffice.

> The "web of trust" models how we pass on advice, introduce others with
> our recommendations, etc., but it is not a very formal thing. 

It's less formal than, say, a central Certification Authority, but it
has some formalities that, if broken regularly and on a wide scale,
would render the Web of Trust ineffective.  Determining the identity
of the real person who owns the key you are signing is one of those
formalities.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBLpKw5XeXQmAScOodAQGZ1wP9ERuR2xab9ysUl0goc9qYGEy30S0CFrVd
C6MnuPFETML6BfJHRF/nM+4PTHwfox7Cfp4BEq55/D9FxpvmFwZ/v4A7mKKzJVoD
Jl9Ex3lWxvdM3hv99Zt+dzaWSNvoAbwVIXHwgYS6PyZ68EIKhTJogStarWybpj1R
yez5a/MlFw0=
=le0b
-----END PGP SIGNATURE-----
--
Fran Litterio                   [email protected] (617-498-3255)
CenterLine Software             http://draco.centerline.com:8080/~franl/
Cambridge, MA, USA 02138-1110   PGP public key id: 1270EA1D