Nom de guerre public key

Fran Litterio franl at
Wed Oct 5 11:57:18 PDT 1994


nelson at (Russell Nelson) writes:

>    From: franl at (Fran Litterio)
>    That's part of it, but the more important binding created by a
>    signature is the binding between the userid and the real person.
>    Without that binding, the binding between the key and the userid is
>    useless.
> Nonsense.  You're assuming that the real person wishes to carry their
> reputation over onto their key/userid combination.  Perhaps they wish
> to establish a separate reputation for it?  And once they've
> established that reputation, they wish to change keys?  Might you not
> sign such a new key?

I would not sign a pseydonymous entity's key based soley on the
reputation of the entity.  How do I defend against a man-in-the-middle
attack -- how do I know I'm not signing the middle-man's key instead
of the entity's key?

With a real person, my defense is to use a tamperproof out-of-band
channel to verify the key fingerprint: a phone call (for a friend
whose voice I recognize) or a personal meeting with passports (for
someone I don't know very well).  How do I do that with a pseudonymous
entity?  I'd really like to know if it's possible to do.

I'm all in favor of pseudonymous entities building reputations, but I
think that the price of pseudonymity is the inability to be part of a
PGP-like Web of Trust.

Version: 2.6.1

Fran Litterio                   franl at (617-498-3255)
CenterLine Software   
Cambridge, MA, USA 02138-1110   PGP public key id: 1270EA1D

More information about the cypherpunks-legacy mailing list