Nom de guerre public key

Derek Atkins warlord at MIT.EDU
Wed Oct 5 19:29:28 PDT 1994


To: franl at (Fran Litterio)
cc: cypherpunks at
Subject: Re: Nom de guerre public key 
In-reply-to: Your message of "05 Oct 1994 13:31:42 GMT."
             <FRANL.94Oct5093142 at> 
- --------
> key's owner).  Sure signatures bind the userid to the key, but what
> good is that to third parties if they can't be sure that the userid
> accurately names the person who possesses that key?

What is in a name?  A name is just a convenience with which one can
identify some object/entity/etc.  "Pr0duct Cypher" is as much a valid
name as "Derek Atkins".  The fact that some entity can produce some
United States Government paperwork that says that the US Govt believes
that this person "exists" is irrelevant in this discussion.  The fact
that I can certify that "This Public key belongs to the identity
Pr0duct Cypher" is _all_ that a key signature says.

> When I meet you in person to hand you my key fingerprint, won't you
> require me to identify myself in order that you can be sure the name
> in the userid of my key is also the name of the person you are
> meeting?  If you do, then you will have just validated the binding
> between userid and real person.

This is a humanly-applied set of restrictions.  I have in the past
signed keys for people whom I haven't met in person; my personal
requirements for signing keys do require out-of-band authentication,
however.  Yet PGP does not impose this restriction.  I could create
an identity (call him Mr. X), and Mr. X could start to sign keys
based upon continuous communication.  

For example, Mr. X could encrypt a message to some other pseudosym,
and ask them to sign the message that was encrypted to them and send
it back.  Since only the owner of the key can both read it and sign
it, and since Mr. X only sent this to a single person (and included
some identification string), Mr. X could know, with marginal doubt,
that this key belongs to this identity -- even without ever meeting
this person and without ever needing to talk to a real person.

> entity.  Because the entity is unwilling to prove to me that there is
> a single real person who possesses the private half of his key.

This is fine -- you don't have to sign pseudonymous keys.  That is
your perogative.  That doesn't mean that there aren't cases where
signing a pseudonym's key is the right thing to do.

> I don't like the idea of an automaton possessing or signing PGP keys.
> People sign other people's keys because only people have the need to
> trust other people.  Automatons don't need to trust and they are not
> the direct targets of trust.  

So what you are saying is that you don't see any reason for a server
to be able to authenticate itself or for someone to be able to send a
message to a server?  You don't believe that there could be a
PGP-telnet?  If this is what you believe, then you have a very
short-sighted view of the world.

A server needs to trust that a person is allowed to log into it, or
that a client is allowed to use the service it provides.  As such, it
is vital that the server be able to authenticate to the client as much
as the client needs to authenticate to the server.  This requires that
the server itself maintain a key.

> This is the objection I had to Phil's
> signing of the Betsi public key.  As an automaton, Betsi is only as
> trustable as its human authors and adminstrators.  Yet Phil doesn't
> know who those people may be in five or ten years.  Yes, people change
> over time too, but not as quickly or as radically as an automaton can.
> It's too easy to subvert an automaton for me to ever sign an
> automaton's PGP key.

This is the point I am trying to make.  When I sign a key, I do not
say ANYTHING about how that key will be used -- I am only saying that
I know that that key is what it claims to be.  I know that this key
belongs to this user, this name, this email-address, this server.  I
don't know that if I sign your key you will then use it to send
threatening email to president at  And personally, I
don't care -- that shouldn't be a consideration in my signing your

Phil signed the Betsi key because to his knowledge that key really
belonged to the Betsi server.  Just like I will sign the MIT PGP
Keysigner key because I will know that it belongs to that identity.
As to how much trust I put in these keys to sign other keys is a
determination that I make orthogonal to the question of signing the
key.  I happened to write the keysigner software, so I know what it
will do -- but that is me -- you don't have to trust it if you don't
want to.

I think the problem here is that you are combining a number of
orthogonal decisions into a single one.  These decisions are:
	1) trust in userID to sign a key
	2) trust in that key to sign others
	3) trust in the usage of that key.

These are distinct for a reason, and should be kept that way.  If you
want to lump them together, that is your perogative, but that is not
something that can be, or should, be enforced.

- -derek

Version: 2.6


More information about the cypherpunks-legacy mailing list