Here's one: How do you verify a signature for an anonymous, first time poster?
You don't try -- what would it mean? You accept the provided public key, and use it to check the continuity of the pseudonym.
How do we prevent people from registering a key in someone else's name??? It's beyond me.
The list, to check signatures, has to have a trusted key from each nym. But there are different sorts of trust. One might certify that a given key belongs to a known real-world meat machine. Or one might certify only that it corresponds to the legitimate user of a given net address. In theory, one could even certify that the key holder was not forced to hand a copy over the the NSA, or make whatever other guarantees one chooses. I think the trusting of keys should be left to individuals, who may have different ideas of what it means for them to accept a given signature. In PGP's "web of trust" model, is there a general consensus on what it means to sign someone's key?
Wonderer
Eli ebrandt@jarthur.claremont.edu