Nom de guerre public key

Fran Litterio franl at
Wed Oct 5 07:57:08 PDT 1994


tcmay at (Timothy C. May) writes:

> Fran Litterio wrote:

> > Unless you reveal your pseudonym to someone and identify yourself
> > according to the rules of the PGP Web of Trust, you should not be able
> > to get signatures on your PGP public key.
> What are the "rules of the PGP Web of Trust"?

They are pretty simple.  Don't sign someone's PGP key unless you have
firsthand knowledge that it is their key.  Implicit in this knowledge
is the knowledge that they are accurately named by the userid on the
key.  This requires either that you have a significant personal
relationship with the key owner (i.e., long-time friend, lover, etc.)
or that you have seen a significant form of photo-id (i.e., their
passport).  You must also obtain the key fingerprint via a relatively
tamperproof channel (i.e., phone call (if you recognize their voice)
or personal meeting).

> Tying public keys to physical persons is _one_ approach, but not the
> only one.

Yes, we might one day live in a world where every human interaction
takes place between pseudonyous entities that represent one or more
real people.  In such a world, there is no place for PGP's Web of
Trust.  Reputations will have to suffice.

> The "web of trust" models how we pass on advice, introduce others with
> our recommendations, etc., but it is not a very formal thing. 

It's less formal than, say, a central Certification Authority, but it
has some formalities that, if broken regularly and on a wide scale,
would render the Web of Trust ineffective.  Determining the identity
of the real person who owns the key you are signing is one of those

Version: 2.6.1

Fran Litterio                   franl at (617-498-3255)
CenterLine Software   
Cambridge, MA, USA 02138-1110   PGP public key id: 1270EA1D

More information about the cypherpunks-legacy mailing list