-----BEGIN PGP SIGNED MESSAGE----- Information Security <The@NSA.sucks> wrote:
: While that's technically true, it's even more true of non-anonymous e-mail : addresses. Usenet posts are much easier to forge than PGP signatures, and : it's quite simple to sign up for a throwaway e-mail account under an assumed : name. It's not very secure from a privacy standpoint, but it's even less : secure from a "positive ID" POV. : : At least with a PGP-signed anonymous post, readers are alerted up front that : they are reading the work of an author who is withholding his/her identity. : But if you read a post from "john_smith@hotmail.com", is it really someone : named "John Smith" or not?
I'm not following this...anyone can generate PGP keys, and digital signatures are not necessary to indentify an account...
Sure, anyone can generate a PGP key. It's almost as easy as generating a throwaway e-mail address. And what does posting from a certain e-mail address or signing one's post with a certain PGP key prove? It proves that the poster KNEW a certain piece of INFORMATION, either an account password or a PGP secret key. It's usually inferred that the person who possesses that information is the person who generated it. Of the two, guessing a PGP secret key is orders of magnitude harder than guessing someone's password, logging on, and impersonating them. In addition, PGP signing is "portable". No matter where I post from, if I sign my post with the same key, you can assume it's me who posted it. It's more difficult to do that with an e-mail address. Let's say that you have a common name like "John Smith" and you post as jsmith@someisp.com. Are you saying that's your "identity"? What if Someisp, Inc. suddenly files for bankruptcy and shuts down without warning? Did you lose your identity? You could open a new account as "jsmith" somewhere else and claim you are the same person who previously posted as jsmith@someisp.com, but so could anyone else who desired to impersonate you. If you were signing your posts with a PGP key, then all you'd have to do is make a post from your new ISP, sign it with the same key, and your "identity" is "transferred". - --- Finger <comsec@nym.alias.net> for PGP public key (Key ID=19BE8B0D) -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBNJahmQbp0h8ZvosNAQEqmAf+IG/gtP4flSv/RPP7530NuD5MeMgH8WGo 75E/o+3GkN5Ksl0hL0bdpUhDvqeHnwsdc2xO5j0UEzqIZGKapa1YvJGK0wrUU/FB UrUzcrHkvtXAdJD8GRTaA/Xgzjh2eJGOImzaIHbPOZBa4MPxYm7bEZaroHR2G2IP AkNFbJzBETP9nLmePupRSqmhN8GwC5BLRLjkXLDDXJ/9s04vNoBGUEsv4aA0iRad cdkHjHSs9FfOOTJPPG+GdDA+Z1LuyjnugcoTfYPtsu7PwgWE/tAxOCVPI6sHrhze I1a4KZSVn1AoNd0ii7Mcw4Fp73SUcuZ74+EJovToOyBu++bqZdOYsA== =jF0X -----END PGP SIGNATURE-----