Nom de guerre public key

Fran Litterio franl at centerline.com
Wed Oct 5 11:57:18 PDT 1994


-----BEGIN PGP SIGNED MESSAGE-----

nelson at crynwr.com (Russell Nelson) writes:

>    From: franl at centerline.com (Fran Litterio)
> 
>    That's part of it, but the more important binding created by a
>    signature is the binding between the userid and the real person.
>    Without that binding, the binding between the key and the userid is
>    useless.
> 
> Nonsense.  You're assuming that the real person wishes to carry their
> reputation over onto their key/userid combination.  Perhaps they wish
> to establish a separate reputation for it?  And once they've
> established that reputation, they wish to change keys?  Might you not
> sign such a new key?

I would not sign a pseydonymous entity's key based soley on the
reputation of the entity.  How do I defend against a man-in-the-middle
attack -- how do I know I'm not signing the middle-man's key instead
of the entity's key?

With a real person, my defense is to use a tamperproof out-of-band
channel to verify the key fingerprint: a phone call (for a friend
whose voice I recognize) or a personal meeting with passports (for
someone I don't know very well).  How do I do that with a pseudonymous
entity?  I'd really like to know if it's possible to do.

I'm all in favor of pseudonymous entities building reputations, but I
think that the price of pseudonymity is the inability to be part of a
PGP-like Web of Trust.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBLpLtrneXQmAScOodAQGvRwP+Jj8aR/Qmbd9EdPmCzBw6AGj0fvXhdgal
MXN0HYsqiFPcqZf2GeeE764DpZrCAa54RheXsFa9sjkfJSzN2MfqV4HOiI/X3TvP
qZjt0Bzc8FX5e88CPTE7ajISbPWhhHyGYcbf5IY6u/a55jmSiwSUTuEysFb37QIT
2SCgNSW6uNs=
=ejKn
-----END PGP SIGNATURE-----
--
Fran Litterio                   franl at centerline.com (617-498-3255)
CenterLine Software             http://draco.centerline.com:8080/~franl/
Cambridge, MA, USA 02138-1110   PGP public key id: 1270EA1D






More information about the cypherpunks-legacy mailing list