-----BEGIN PGP SIGNED MESSAGE----- From: Louis Cypher

...

A signature on your PGP public key is a personal guarantee from the person who signed it that she has first-hand knowledge that the key's userid accurately names the person who physically possesses the key (i.e., the signature validates the binding between userid and person). But you do not have a binding between your userid and your person, because your userid is a pseudonym, and a pseudonym is a name not bound to a person.

Actually, this is not true. A signature on a key is a personal guarantee from the signer that binds the user-id to the _KEY_, not necessarily a person. The problem is validating that key<->userID binding in a pseuodnymous case. For example, in the case of a real person, you can send me a message to "warlord@MIT.EDU" and later meet me in person, and I can verify that I received the message by responding in some appropriate manner.

But you cannot perform this check for a pseudonymous identity, because there is no secure way to prove that that key really belongs to some identity.

Just for an example, I am fairly certian that there is a single identity behind Pr0duct Cypher (speaking of PC -- I heard from you in a while), but it is difficult to securely obtain assurance of the binding behind the key and the keyid.

With a pseudonym, all a signature really says is that this is the key that always goes with the posts signed by this nym. Assuming there has not been more than one key claiming to be the "real" nym, then after a while there can be no doubt that the key and nym go together (which is all that was to be proved). Personally, I sign nyms that have existed consistently for some time. I have never distributed any of these signed keys, but see no harm in doing so as long as the key's user-id field clearly indicates that the key is a nym and not a person. A sig on a key by a notable like Tim May would help keep new users from getting taken in my some interloper claiming to be Pr0duct Cypher.

...

Unless you reveal your pseudonym to someone and identify yourself according to the rules of the PGP Web of Trust, you should not be able to get signatures on your PGP public key.

Well, this isn't the case. It is possible to set up a server that compares userID to mailID in some secure manner. For example, there were some way to get a secure mail from a user to a server, and the server could verify the mail address, and then validate the mail address to pgp keyID.

-derek

If I am trying to maintain a truly anonymous pseudonym, I am hardly likely to allow to connect my key with an email address. All a sig on a pseudonym's key means, is that is the key which signs posts from that nym, not such a hard thing to demonstrate with enough empirical evidence. -Louis Cypher P.S. I can be reached privately by leaving a message in alt.anonymous.messages with my name in the subject line. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLo9uWKyHUAO76TvRAQFVpwP+PJ9Ratos4OirW5VvO+r8ZdYig4e4JsR1 T2UGzFsyCLJnG+IyPc3d2xh3ipyM4Ifaw9pcp4xNJuimzaWyU+MfAzCr4IF6CLB2 R8+s/HW8kH5uiXdV+NCv95OL7zBI4p9GiWBiphsfcEkKkhI1CiHXhcoDR6CIIfdO MVe2HEASEng= =Dfb5 -----END PGP SIGNATURE-----