[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

True Names and Webs of Trust

Just a comment on this business of whether we need certification of the
True Names of people we deal with:

I've dealt with "in person" maybe 60 to 100 of the people on this list (at
one time or another). In no cases--not a single one--have I made elaborate
checks to confirm that people are who they claim to be. A few driver's
licenses have been flashed at meetings, but I didn't look closely. Maybe a
passport was even displayed, but, again, I didn't look. And documents are
readily forged.

This has relevance to the thread Michael Froomkin raised, as well. To wit,
none of the people I've met has been "certified." And yet it doesn't bother

As Bill Stewart correctly claimed is my view, the "key is the identity."
Or, more accurately, a _persistent personna_ is what matters.

Thus, I don't need to "verify" that "Eric Hughes" is "really" Eric Hughes,
and is not actually Fritz Doppelganger, assigned to Berkeley by the BND. I
really don't care about the so-called "reality."

(Sorry for all of the "quotes," but all of these terms are heavily laden
with connotations which bear deconstructing.)

My experiences are the norm, I think. Identity credentials are rarely
checked, and most people don't care too much. (An important point is that
in a cash economy, identity is almost irrelevant. It's only in non-cash, or
"account-based," economy that True Names are demanded. Lots of interesting
issues to discuss here, which I won't now.)

The "web of trust" model is really the normal way people go about their
business. I knew someone once introduced to me as "Hugh Daniel," and he
eventually introduced me to someone calling himself "Eric Hughes," and so
on. Introducers, webs of trust, etc. What their "real names" are makes
little difference. (Besides, their Real Names were written on flat stones
on the 3rd day after their births and placed in a safe place known only to
the Great Bird.)

I never use the web of trust model in PGP. I get so few PGP messages that
it's enough that people I know give me their keys. So I concede that the
web of trust model in the PGP world may or may not scale well. (In the
sense of tens of thousands of folks establishing a "web of trust.") But the
_basic_ idea of self-arranged transfers of keys and local networks of
friends is right on.

This is why I don't worry too much about the need for
government-authenticated keys and True Names.

--Tim May

Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."