- provide accountability by linking the author of a program to a real person whose identity is verified off-line
This is unnecessary, and I would claim undesirable. A unique anonymous ID is just as good as a "real" one -- since you're relying upon PGP anyway, the mapping from signature to a known identity is one-to-one.
The only reason I can see to require this "real human" mapping is to try to prosecute people for bugs in their code or some contamination that seeps into their release.
That's not an aspect of the world I want to live in.
Or to warn potential virus "authors" that *their* anonymity is no longer assured - not a bad thing. Not enough to justify the rest of it, IMHO, but certainly not Evil Incarnate (not to be flinging misinterpretations or aspersions :-) Dave Merriman - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman@metronet.com for PGP/RIPEM public keys and fingerprints. Unencrypted Email may be ignored without notice to sender. PGP preferred. Remember: It is not enough to _obey_ Big Brother; you must also learn to *love* Big Brother.