-----BEGIN PGP SIGNED MESSAGE----- tcmay@netcom.com (Timothy C. May) writes:
Fran Litterio wrote:
Unless you reveal your pseudonym to someone and identify yourself according to the rules of the PGP Web of Trust, you should not be able to get signatures on your PGP public key.
What are the "rules of the PGP Web of Trust"?
They are pretty simple. Don't sign someone's PGP key unless you have firsthand knowledge that it is their key. Implicit in this knowledge is the knowledge that they are accurately named by the userid on the key. This requires either that you have a significant personal relationship with the key owner (i.e., long-time friend, lover, etc.) or that you have seen a significant form of photo-id (i.e., their passport). You must also obtain the key fingerprint via a relatively tamperproof channel (i.e., phone call (if you recognize their voice) or personal meeting).
Tying public keys to physical persons is _one_ approach, but not the only one.
Yes, we might one day live in a world where every human interaction takes place between pseudonyous entities that represent one or more real people. In such a world, there is no place for PGP's Web of Trust. Reputations will have to suffice.
The "web of trust" models how we pass on advice, introduce others with our recommendations, etc., but it is not a very formal thing.
It's less formal than, say, a central Certification Authority, but it has some formalities that, if broken regularly and on a wide scale, would render the Web of Trust ineffective. Determining the identity of the real person who owns the key you are signing is one of those formalities. -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLpKw5XeXQmAScOodAQGZ1wP9ERuR2xab9ysUl0goc9qYGEy30S0CFrVd C6MnuPFETML6BfJHRF/nM+4PTHwfox7Cfp4BEq55/D9FxpvmFwZ/v4A7mKKzJVoD Jl9Ex3lWxvdM3hv99Zt+dzaWSNvoAbwVIXHwgYS6PyZ68EIKhTJogStarWybpj1R yez5a/MlFw0= =le0b -----END PGP SIGNATURE----- -- Fran Litterio franl@centerline.com (617-498-3255) CenterLine Software http://draco.centerline.com:8080/~franl/ Cambridge, MA, USA 02138-1110 PGP public key id: 1270EA1D