On 5 Oct 1994, Fran Litterio wrote:
That's part of it, but the more important binding created by a signature is the binding between the userid and the real person. Without that binding, the binding between the key and the userid is useless.
I would not sign a pseydonymous entity's key based soley on the reputation of the entity. How do I defend against a man-in-the-middle attack -- how do I know I'm not signing the middle-man's key instead of the entity's key?
I'm all in favor of pseudonymous entities building reputations, but I think that the price of pseudonymity is the inability to be part of a PGP-like Web of Trust.
I probably ought to get out of lurk mode here, since my signature can be found on the key of one of the more prominent pseudonyms on the list, Black Unicorn. I met Uni briefly at one of the (two) D.C. area cypherpunks meetings, last spring. I didn't check his ID. For all his reluctance to give his name here, he did, as I recall, attempt to give it at at the meeting. (Pat Farrell was trying to draw a seating chart so we'd know what to call each other, but he had trouble spelling Uni's name.) I guess it could have been an impostor at the meeting, but enough of the details seemed to match up that I didn't have any doubts about him. And I've probably got enough information from his posts, and my hazy recollection of his first name, to find out who he is, if I felt like it. I guess my point is that key signing doesn't always fit into one particular category, one that requires a drivers license or passport. That (or personal knowledge of the person) is the most secure method for keys that are clearly bound to a specific person, but it's not the only way things are done. Joe