Nom de guerre public key
-----BEGIN PGP SIGNED MESSAGE----- I'm new at both remailing and PGP, but having read the Cyphernomicon (OK, skimmed it) and various other FAQs, I haven't seen this issue addressed: I've created a pseudonym and a PGP key pair for that pseudonym. Now, how do I secure signatures for my public key, given the fact that (a) to sign it, you should be sure that it really belongs to me, and (b) I have no intention of revealing who "me" actually is? You can't call me on the phone, or meet me face to face, or do any of those other standard practices for confirming the key before signing it. But I sure don't want to use an unsigned, untrusted public key, since I want to make and keep a reputation and I can't risk someone spoofing my public key. ======================================================================= Crim Tideson Privacy is its own justification. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ My public key: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCPAy51e6kAAAEEAMLIkYRAJqKnrQL7Xxmu7hNycUU06YZuR2i3WVxN9Jc6vnoF i7gT6/u7zVI4gmZCTA6mF6SYEFeOiENHaz0wyBNe+8AOIgdaezUsPODMh7UC64k0 YVQTNOiPN9jQAnyCGjPrplSliWT4gHGC796whwJ8CFkwPdpQf6vOblMnt4MdABEB AAG0DENyaW0gVGlkZXNvbg== =pwyo - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLo3MxqvOblMnt4MdAQH0jwQAvzbd7b7KpcKdaeGzWUx8aav4WxWJWD9W qwYaVF/WNFFg89+m0K8TztTEcc9QVz3wYvKz1ojOx7IOJl10ZUBXbXrChaDYhbKJ YTU3QeOHN7o8VdzJ3o7z6lK9QqLZhhzQd4VgF9VxR++8LcBVS8AYaVWsfGLv7L2q W+4h4FIR0GE= =Vu2X -----END PGP SIGNATURE-----
Anonymous wrote:
I'm new at both remailing and PGP, but having read the Cyphernomicon (OK, skimmed it) and various other FAQs, I haven't seen this issue addressed:
I'll be sure to put something in about this, though I thought I had.
I've created a pseudonym and a PGP key pair for that pseudonym. Now, how do I secure signatures for my public key, given the fact that (a) to sign it, you should be sure that it really belongs to me, and (b) I have no intention of revealing who "me" actually is? You can't call me on the phone, or meet me face to face, or do any of those other standard practices for confirming the key before signing it. But I sure don't want to use an unsigned, untrusted public key, since I want to make and keep a reputation and I can't risk someone spoofing my public key.
======================================================================= Crim Tideson Privacy is its own justification.
Crim Tideson, you are who you say you are by the fact that you possess the key yoy have just announced yourself with! Only you can sign messages with the private key for which the public key produced a valid signature. We have no interest in your (alleged) physical identity. Maybe you are a committee. Maybe you are an AI. Or a Zeta Reticulan. Digital signatures have this wonderful property of being more important than putative physical identity, such identity being vastly easier to forge. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo@toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay
I've created a pseudonym and a PGP key pair for that pseudonym. Now, how do I secure signatures for my public key, given the fact that (a) to sign it, you should be sure that it really belongs to me, and (b) I have no intention of revealing who "me" actually is?
A signature on your PGP public key is a personal guarantee from the person who signed it that she has first-hand knowledge that the key's userid accurately names the person who physically possesses the key (i.e., the signature validates the binding between userid and person). But you do not have a binding between your userid and your person, because your userid is a pseudonym, and a pseudonym is a name not bound to a person. Unless you reveal your pseudonym to someone and identify yourself according to the rules of the PGP Web of Trust, you should not be able to get signatures on your PGP public key. -- Fran Litterio franl@centerline.com (617-498-3255) CenterLine Software http://draco.centerline.com:8080/~franl/ Cambridge, MA, USA 02138-1110 PGP public key id: 1270EA1D
Fran Litterio wrote:
Unless you reveal your pseudonym to someone and identify yourself according to the rules of the PGP Web of Trust, you should not be able to get signatures on your PGP public key.
What are the "rules of the PGP Web of Trust"? I've seen a couple of "BlackNet" public keys on the MIT Key Server, and I doubt rather strongly that the creators of BlackNet(s) identified himself or herself (or itself, even). Tying public keys to physical persons is _one_ approach, but not the only one. If fact, for a lot of intended uses of public key crypto, multiple keys will be generated and discarded. Granted, they won't necessarily ever appear on any of the main keyservers, but they might. The "web of trust" models how we pass on advice, introduce others with our recommendations, etc., but it is not a very formal thing. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo@toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay
-----BEGIN PGP SIGNED MESSAGE----- warlord@mit.edu (Derek Atkins) writes:
A signature on your PGP public key is a personal guarantee from the person who signed it that she has first-hand knowledge that the key's userid accurately names the person who physically possesses the key (i.e., the signature validates the binding between userid and person).
Actually, this is not true. A signature on a key is a personal guarantee from the signer that binds the user-id to the _KEY_, not necessarily a person.
That's part of it, but the more important binding created by a signature is the binding between the userid and the real person. Without that binding, the binding between the key and the userid is useless. This is why photo-identification (i.e., a passport) a required part of keysigning (unless the signer personally knows the key's owner). Sure signatures bind the userid to the key, but what good is that to third parties if they can't be sure that the userid accurately names the person who possesses that key?
For example, in the case of a real person, you can send me a message to "warlord@MIT.EDU" and later meet me in person, and I can verify that I received the message by responding in some appropriate manner.
When I meet you in person to hand you my key fingerprint, won't you require me to identify myself in order that you can be sure the name in the userid of my key is also the name of the person you are meeting? If you do, then you will have just validated the binding between userid and real person.
But you cannot perform this check for a pseudonymous identity, because there is no secure way to prove that that key really belongs to some identity.
Which is exactly why I can never sign the key of a pseudonymous entity. Because the entity is unwilling to prove to me that there is a single real person who possesses the private half of his key.
It is possible to set up a server that compares userID to mailID in some secure manner. For example, there were some way to get a secure mail from a user to a server, and the server could verify the mail address, and then validate the mail address to pgp keyID.
As an aside, I've written a Kerberos PGP Keysigner -- it uses kerberos authentication to validate a user and compares the kerberos identity to the userID on the key, and if certain qualifications are met between these two names, the server will sign the key. The assurance this key is making is that the owner of this key could authenticate as this user to me via kerberos.
I don't like the idea of an automaton possessing or signing PGP keys. People sign other people's keys because only people have the need to trust other people. Automatons don't need to trust and they are not the direct targets of trust. This is the objection I had to Phil's signing of the Betsi public key. As an automaton, Betsi is only as trustable as its human authors and adminstrators. Yet Phil doesn't know who those people may be in five or ten years. Yes, people change over time too, but not as quickly or as radically as an automaton can. It's too easy to subvert an automaton for me to ever sign an automaton's PGP key. -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLpKqgXeXQmAScOodAQHN0gP+K7TTE488k+fJQdyL4laxFOJa8LYeoo09 F+RzXyLv2FMKPfNDPhbMglHToRf5lgmtskELe3+rB2Ra2xbdOGFKUxNHkkgdCLXt ld149yBMmZBawHw5Qj482UpVt12+hmYxgt0bBnsTRqf4r6lMjdmU2OwiZ7KaY5/V /EKkTrotvAw= =G4X/ -----END PGP SIGNATURE----- -- Fran Litterio franl@centerline.com (617-498-3255) CenterLine Software http://draco.centerline.com:8080/~franl/ Cambridge, MA, USA 02138-1110 PGP public key id: 1270EA1D
Date: 05 Oct 1994 13:31:42 GMT Organization: CenterLine Software R&D From: franl@centerline.com (Fran Litterio) That's part of it, but the more important binding created by a signature is the binding between the userid and the real person. Without that binding, the binding between the key and the userid is useless. Nonsense. You're assuming that the real person wishes to carry their reputation over onto their key/userid combination. Perhaps they wish to establish a separate reputation for it? And once they've established that reputation, they wish to change keys? Might you not sign such a new key? -- -russ <nelson@crynwr.com> http://www.crynwr.com/crynwr/nelson.html Crynwr Software | Crynwr Software sells packet driver support | ask4 PGP key 11 Grant St. | +1 315 268 1925 (9201 FAX) | What is thee doing about it? Potsdam, NY 13676 | LPF member - ask me about the harm software patents do.
-----BEGIN PGP SIGNED MESSAGE----- nelson@crynwr.com (Russell Nelson) writes:
From: franl@centerline.com (Fran Litterio)
That's part of it, but the more important binding created by a signature is the binding between the userid and the real person. Without that binding, the binding between the key and the userid is useless.
Nonsense. You're assuming that the real person wishes to carry their reputation over onto their key/userid combination. Perhaps they wish to establish a separate reputation for it? And once they've established that reputation, they wish to change keys? Might you not sign such a new key?
I would not sign a pseydonymous entity's key based soley on the reputation of the entity. How do I defend against a man-in-the-middle attack -- how do I know I'm not signing the middle-man's key instead of the entity's key? With a real person, my defense is to use a tamperproof out-of-band channel to verify the key fingerprint: a phone call (for a friend whose voice I recognize) or a personal meeting with passports (for someone I don't know very well). How do I do that with a pseudonymous entity? I'd really like to know if it's possible to do. I'm all in favor of pseudonymous entities building reputations, but I think that the price of pseudonymity is the inability to be part of a PGP-like Web of Trust. -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLpLtrneXQmAScOodAQGvRwP+Jj8aR/Qmbd9EdPmCzBw6AGj0fvXhdgal MXN0HYsqiFPcqZf2GeeE764DpZrCAa54RheXsFa9sjkfJSzN2MfqV4HOiI/X3TvP qZjt0Bzc8FX5e88CPTE7ajISbPWhhHyGYcbf5IY6u/a55jmSiwSUTuEysFb37QIT 2SCgNSW6uNs= =ejKn -----END PGP SIGNATURE----- -- Fran Litterio franl@centerline.com (617-498-3255) CenterLine Software http://draco.centerline.com:8080/~franl/ Cambridge, MA, USA 02138-1110 PGP public key id: 1270EA1D
On 5 Oct 1994, Fran Litterio wrote:
That's part of it, but the more important binding created by a signature is the binding between the userid and the real person. Without that binding, the binding between the key and the userid is useless.
I would not sign a pseydonymous entity's key based soley on the reputation of the entity. How do I defend against a man-in-the-middle attack -- how do I know I'm not signing the middle-man's key instead of the entity's key?
I'm all in favor of pseudonymous entities building reputations, but I think that the price of pseudonymity is the inability to be part of a PGP-like Web of Trust.
I probably ought to get out of lurk mode here, since my signature can be found on the key of one of the more prominent pseudonyms on the list, Black Unicorn. I met Uni briefly at one of the (two) D.C. area cypherpunks meetings, last spring. I didn't check his ID. For all his reluctance to give his name here, he did, as I recall, attempt to give it at at the meeting. (Pat Farrell was trying to draw a seating chart so we'd know what to call each other, but he had trouble spelling Uni's name.) I guess it could have been an impostor at the meeting, but enough of the details seemed to match up that I didn't have any doubts about him. And I've probably got enough information from his posts, and my hazy recollection of his first name, to find out who he is, if I felt like it. I guess my point is that key signing doesn't always fit into one particular category, one that requires a drivers license or passport. That (or personal knowledge of the person) is the most secure method for keys that are clearly bound to a specific person, but it's not the only way things are done. Joe
-----BEGIN PGP SIGNED MESSAGE----- To: franl@centerline.com (Fran Litterio) cc: cypherpunks@toad.com Subject: Re: Nom de guerre public key In-reply-to: Your message of "05 Oct 1994 13:31:42 GMT." <FRANL.94Oct5093142@draco.centerline.com> - --------
key's owner). Sure signatures bind the userid to the key, but what good is that to third parties if they can't be sure that the userid accurately names the person who possesses that key?
What is in a name? A name is just a convenience with which one can identify some object/entity/etc. "Pr0duct Cypher" is as much a valid name as "Derek Atkins". The fact that some entity can produce some United States Government paperwork that says that the US Govt believes that this person "exists" is irrelevant in this discussion. The fact that I can certify that "This Public key belongs to the identity Pr0duct Cypher" is _all_ that a key signature says.
When I meet you in person to hand you my key fingerprint, won't you require me to identify myself in order that you can be sure the name in the userid of my key is also the name of the person you are meeting? If you do, then you will have just validated the binding between userid and real person.
This is a humanly-applied set of restrictions. I have in the past signed keys for people whom I haven't met in person; my personal requirements for signing keys do require out-of-band authentication, however. Yet PGP does not impose this restriction. I could create an identity (call him Mr. X), and Mr. X could start to sign keys based upon continuous communication. For example, Mr. X could encrypt a message to some other pseudosym, and ask them to sign the message that was encrypted to them and send it back. Since only the owner of the key can both read it and sign it, and since Mr. X only sent this to a single person (and included some identification string), Mr. X could know, with marginal doubt, that this key belongs to this identity -- even without ever meeting this person and without ever needing to talk to a real person.
entity. Because the entity is unwilling to prove to me that there is a single real person who possesses the private half of his key.
This is fine -- you don't have to sign pseudonymous keys. That is your perogative. That doesn't mean that there aren't cases where signing a pseudonym's key is the right thing to do.
I don't like the idea of an automaton possessing or signing PGP keys. People sign other people's keys because only people have the need to trust other people. Automatons don't need to trust and they are not the direct targets of trust.
So what you are saying is that you don't see any reason for a server to be able to authenticate itself or for someone to be able to send a message to a server? You don't believe that there could be a PGP-telnet? If this is what you believe, then you have a very short-sighted view of the world. A server needs to trust that a person is allowed to log into it, or that a client is allowed to use the service it provides. As such, it is vital that the server be able to authenticate to the client as much as the client needs to authenticate to the server. This requires that the server itself maintain a key.
This is the objection I had to Phil's signing of the Betsi public key. As an automaton, Betsi is only as trustable as its human authors and adminstrators. Yet Phil doesn't know who those people may be in five or ten years. Yes, people change over time too, but not as quickly or as radically as an automaton can. It's too easy to subvert an automaton for me to ever sign an automaton's PGP key.
This is the point I am trying to make. When I sign a key, I do not say ANYTHING about how that key will be used -- I am only saying that I know that that key is what it claims to be. I know that this key belongs to this user, this name, this email-address, this server. I don't know that if I sign your key you will then use it to send threatening email to president@whitehouse.gov. And personally, I don't care -- that shouldn't be a consideration in my signing your key. Phil signed the Betsi key because to his knowledge that key really belonged to the Betsi server. Just like I will sign the MIT PGP Keysigner key because I will know that it belongs to that identity. As to how much trust I put in these keys to sign other keys is a determination that I make orthogonal to the question of signing the key. I happened to write the keysigner software, so I know what it will do -- but that is me -- you don't have to trust it if you don't want to. I think the problem here is that you are combining a number of orthogonal decisions into a single one. These decisions are: 1) trust in userID to sign a key 2) trust in that key to sign others 3) trust in the usage of that key. These are distinct for a reason, and should be kept that way. If you want to lump them together, that is your perogative, but that is not something that can be, or should, be enforced. - -derek -----BEGIN PGP SIGNATURE----- Version: 2.6 iQBuAwUBLpNg7zh0K1zBsGrxAQGETQLECyKXVFNnai1otoSH3IMungYtXqR+y4gj LFyIa0iIhMgTMYI0tCFs4RmG3pwO83qCoaLRbGdJ5IpjbepqbUHKDwFm0AB7Z43I x2s2A+HjqTtEu5XaNV1qGvg= =4urS -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- tcmay@netcom.com (Timothy C. May) writes:
Fran Litterio wrote:
Unless you reveal your pseudonym to someone and identify yourself according to the rules of the PGP Web of Trust, you should not be able to get signatures on your PGP public key.
What are the "rules of the PGP Web of Trust"?
They are pretty simple. Don't sign someone's PGP key unless you have firsthand knowledge that it is their key. Implicit in this knowledge is the knowledge that they are accurately named by the userid on the key. This requires either that you have a significant personal relationship with the key owner (i.e., long-time friend, lover, etc.) or that you have seen a significant form of photo-id (i.e., their passport). You must also obtain the key fingerprint via a relatively tamperproof channel (i.e., phone call (if you recognize their voice) or personal meeting).
Tying public keys to physical persons is _one_ approach, but not the only one.
Yes, we might one day live in a world where every human interaction takes place between pseudonyous entities that represent one or more real people. In such a world, there is no place for PGP's Web of Trust. Reputations will have to suffice.
The "web of trust" models how we pass on advice, introduce others with our recommendations, etc., but it is not a very formal thing.
It's less formal than, say, a central Certification Authority, but it has some formalities that, if broken regularly and on a wide scale, would render the Web of Trust ineffective. Determining the identity of the real person who owns the key you are signing is one of those formalities. -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLpKw5XeXQmAScOodAQGZ1wP9ERuR2xab9ysUl0goc9qYGEy30S0CFrVd C6MnuPFETML6BfJHRF/nM+4PTHwfox7Cfp4BEq55/D9FxpvmFwZ/v4A7mKKzJVoD Jl9Ex3lWxvdM3hv99Zt+dzaWSNvoAbwVIXHwgYS6PyZ68EIKhTJogStarWybpj1R yez5a/MlFw0= =le0b -----END PGP SIGNATURE----- -- Fran Litterio franl@centerline.com (617-498-3255) CenterLine Software http://draco.centerline.com:8080/~franl/ Cambridge, MA, USA 02138-1110 PGP public key id: 1270EA1D
participants (6)
-
Derek Atkins -
franl@centerline.com -
Joe Thomas -
nelson@crynwr.com -
nobody@jpunix.com -
tcmay@netcom.com