-----BEGIN PGP SIGNED MESSAGE----- nelson@crynwr.com (Russell Nelson) writes:
From: franl@centerline.com (Fran Litterio)
That's part of it, but the more important binding created by a signature is the binding between the userid and the real person. Without that binding, the binding between the key and the userid is useless.
Nonsense. You're assuming that the real person wishes to carry their reputation over onto their key/userid combination. Perhaps they wish to establish a separate reputation for it? And once they've established that reputation, they wish to change keys? Might you not sign such a new key?
I would not sign a pseydonymous entity's key based soley on the reputation of the entity. How do I defend against a man-in-the-middle attack -- how do I know I'm not signing the middle-man's key instead of the entity's key? With a real person, my defense is to use a tamperproof out-of-band channel to verify the key fingerprint: a phone call (for a friend whose voice I recognize) or a personal meeting with passports (for someone I don't know very well). How do I do that with a pseudonymous entity? I'd really like to know if it's possible to do. I'm all in favor of pseudonymous entities building reputations, but I think that the price of pseudonymity is the inability to be part of a PGP-like Web of Trust. -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLpLtrneXQmAScOodAQGvRwP+Jj8aR/Qmbd9EdPmCzBw6AGj0fvXhdgal MXN0HYsqiFPcqZf2GeeE764DpZrCAa54RheXsFa9sjkfJSzN2MfqV4HOiI/X3TvP qZjt0Bzc8FX5e88CPTE7ajISbPWhhHyGYcbf5IY6u/a55jmSiwSUTuEysFb37QIT 2SCgNSW6uNs= =ejKn -----END PGP SIGNATURE----- -- Fran Litterio franl@centerline.com (617-498-3255) CenterLine Software http://draco.centerline.com:8080/~franl/ Cambridge, MA, USA 02138-1110 PGP public key id: 1270EA1D