One of the reasons people don't like solutions based on True Names is because nyms don't have them. Pr0duct Cypher can't very well go to someone, show a drivers license, and get his key signed. There is still a way in which signed, true-name-based keys can be useful to nyms. Maybe they can't get their own keys signed in this mode, but they can check the keys of others. If Pr0duct Cypher, under his secret identity, goes out and gets valid keys that he can trust (maybe he sees Verisign's key fingerprint in the newspaper), then if I send him my key signed by someone he trusts, he can check the signature. He can then send data to me encrypted with my actual key, and the MITM can't do anything about it. So the presence of my True Name based key allows us to communicate securely. This doesn't help for the case of two nyms who want to communicate, though. For that we do need a mode in which nyms can get their keys signed. I do think that there are some situations in which that is plausible, based on the difficulty of mounting a MITM attack against someone who is determined to try to detect it. In the most extreme case the MITM has to simulate the whole outside world with respect to the person he is targetting, which is infeasible. Various tricks like sending hashes of future messages have been discussed; the MITM can't let these through since the future message may include the true key that he is hiding. If people are then supposed to reply to these hashes, all of the replies have to be simulated by the MITM. Eventually it seems that the MITM becomes enmeshed so deeply in his own lies that he would get caught. If steps like these are taken successfully it should be reasonable to sign a nym's key, with the semantics being that either this is the real key of the sender, or he has a nearly omnipotent MITM surrounding him. Hal