[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Nom de guerre public key
-----BEGIN PGP SIGNED MESSAGE-----
[email protected] (Russell Nelson) writes:
> From: [email protected] (Fran Litterio)
>
> That's part of it, but the more important binding created by a
> signature is the binding between the userid and the real person.
> Without that binding, the binding between the key and the userid is
> useless.
>
> Nonsense. You're assuming that the real person wishes to carry their
> reputation over onto their key/userid combination. Perhaps they wish
> to establish a separate reputation for it? And once they've
> established that reputation, they wish to change keys? Might you not
> sign such a new key?
I would not sign a pseydonymous entity's key based soley on the
reputation of the entity. How do I defend against a man-in-the-middle
attack -- how do I know I'm not signing the middle-man's key instead
of the entity's key?
With a real person, my defense is to use a tamperproof out-of-band
channel to verify the key fingerprint: a phone call (for a friend
whose voice I recognize) or a personal meeting with passports (for
someone I don't know very well). How do I do that with a pseudonymous
entity? I'd really like to know if it's possible to do.
I'm all in favor of pseudonymous entities building reputations, but I
think that the price of pseudonymity is the inability to be part of a
PGP-like Web of Trust.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.1
iQCVAwUBLpLtrneXQmAScOodAQGvRwP+Jj8aR/Qmbd9EdPmCzBw6AGj0fvXhdgal
MXN0HYsqiFPcqZf2GeeE764DpZrCAa54RheXsFa9sjkfJSzN2MfqV4HOiI/X3TvP
qZjt0Bzc8FX5e88CPTE7ajISbPWhhHyGYcbf5IY6u/a55jmSiwSUTuEysFb37QIT
2SCgNSW6uNs=
=ejKn
-----END PGP SIGNATURE-----
--
Fran Litterio [email protected] (617-498-3255)
CenterLine Software http://draco.centerline.com:8080/~franl/
Cambridge, MA, USA 02138-1110 PGP public key id: 1270EA1D