Re: Nom de guerre public key

[Joe Thomas <jthomas@access.digex.net>]

On 5 Oct 1994, Fran Litterio wrote:

> >    That's part of it, but the more important binding created by a
> >    signature is the binding between the userid and the real person.
> >    Without that binding, the binding between the key and the userid is
> >    useless.
> 
> I would not sign a pseydonymous entity's key based soley on the
> reputation of the entity.  How do I defend against a man-in-the-middle
> attack -- how do I know I'm not signing the middle-man's key instead
> of the entity's key?

> I'm all in favor of pseudonymous entities building reputations, but I
> think that the price of pseudonymity is the inability to be part of a
> PGP-like Web of Trust.

I probably ought to get out of lurk mode here, since my signature can be 
found on the key of one of the more prominent pseudonyms on the list, 
Black Unicorn.  I met Uni briefly at one of the (two) D.C. area 
cypherpunks meetings, last spring.  I didn't check his ID.  For all his 
reluctance to give his name here, he did, as I recall, attempt to give it at 
at the meeting.  (Pat Farrell was trying to draw a seating chart so we'd 
know what to call each other, but he had trouble spelling Uni's 
name.)

I guess it could have been an impostor at the meeting, but enough 
of the details seemed to match up that I didn't have any doubts about 
him.  And I've probably got enough information from his posts, and my 
hazy recollection of his first name, to find out who he is, if I felt 
like it.

I guess my point is that key signing doesn't always fit into one 
particular category, one that requires a drivers license or passport.  
That (or personal knowledge of the person) is the most secure method for 
keys that are clearly bound to a specific person, but it's not the only 
way things are done.

Joe