At 4:53 PM 02/11/95, Tom Jones wrote:

One of the reasons that I consider this to be untrue is my empirical experience with two groups that are constantly interested in exactly who I am: the government and the credit bureaus. They both chose to use my SSN even though that has all the same attributes of a KeyID, except that it is somewhat denser. Now if this is what happens when the real world tries to identify me, why is the KeyID such a bad way to identify keys?

It seems like it might be important to note, however, that the government identification systems are definitely _centrazilized_ modes of information storage and distribution. Credit buearues are less obviously centralized, but still perhaps centralized. And it could be argued that credit bureaus would never have used a system like social security numbers for identification if it hadn't already been in widespread use in the centralized governmental systems which created it. This is in sharp contrast to the decentralized mode that we want our encryption and authorization to function in. This is for anti-authoritarian reasons, as well as simply practical reasons. When the government is involved, it can mandate that everyone use the system they are in control of, and they can get the neccesary manpower to actually implement a centralized system too. But we don't want to have to trust any one authority, and we also want a system where everyone does their own work (like DNS, where every domain has it's own server), if possible. Conventional wisdom is that PGP is inherently decentralized, and it is, in a sense, and in it's current web-of-trust model. But a social-security-number model of key distribution would definitely _not_ be centralized. You are assigned your social security number by a central authority, and others can look up your social security number by consulting with that central authority, or with other authorities that have themselves consulted with the central authority. That's not a model most of us think desirable for PGP key distribution. [It also could be noted that a SSN has some contained meaning, where a PGP keyid doesn't. The prefixes on your SSN say what state (and maybe even what county, I'm not sure) you were born in. But generally this isn't very useful information, so this probably isn't an important point.]