1994-10-05 - Re: Nom de guerre public key

Header Data

From: franl@centerline.com (Fran Litterio)
To: cypherpunks@toad.com
Message Hash: e53579fd9d05f237504fa43d4ae8db33ad1708f565cf29d78e8bfdf3c092fd2f
Message ID: <FRANL.94Oct5095822@draco.centerline.com>
Reply To: <FRANL.94Oct2201427@draco.centerline.com>
UTC Datetime: 1994-10-05 14:57:08 UTC
Raw Date: Wed, 5 Oct 94 07:57:08 PDT

Raw message

From: franl@centerline.com (Fran Litterio)
Date: Wed, 5 Oct 94 07:57:08 PDT
To: cypherpunks@toad.com
Subject: Re: Nom de guerre public key
In-Reply-To: <FRANL.94Oct2201427@draco.centerline.com>
Message-ID: <FRANL.94Oct5095822@draco.centerline.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

tcmay@netcom.com (Timothy C. May) writes:

> Fran Litterio wrote:

> > Unless you reveal your pseudonym to someone and identify yourself
> > according to the rules of the PGP Web of Trust, you should not be able
> > to get signatures on your PGP public key.
> 
> What are the "rules of the PGP Web of Trust"?

They are pretty simple.  Don't sign someone's PGP key unless you have
firsthand knowledge that it is their key.  Implicit in this knowledge
is the knowledge that they are accurately named by the userid on the
key.  This requires either that you have a significant personal
relationship with the key owner (i.e., long-time friend, lover, etc.)
or that you have seen a significant form of photo-id (i.e., their
passport).  You must also obtain the key fingerprint via a relatively
tamperproof channel (i.e., phone call (if you recognize their voice)
or personal meeting).

> Tying public keys to physical persons is _one_ approach, but not the
> only one.

Yes, we might one day live in a world where every human interaction
takes place between pseudonyous entities that represent one or more
real people.  In such a world, there is no place for PGP's Web of
Trust.  Reputations will have to suffice.

> The "web of trust" models how we pass on advice, introduce others with
> our recommendations, etc., but it is not a very formal thing. 

It's less formal than, say, a central Certification Authority, but it
has some formalities that, if broken regularly and on a wide scale,
would render the Web of Trust ineffective.  Determining the identity
of the real person who owns the key you are signing is one of those
formalities.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBLpKw5XeXQmAScOodAQGZ1wP9ERuR2xab9ysUl0goc9qYGEy30S0CFrVd
C6MnuPFETML6BfJHRF/nM+4PTHwfox7Cfp4BEq55/D9FxpvmFwZ/v4A7mKKzJVoD
Jl9Ex3lWxvdM3hv99Zt+dzaWSNvoAbwVIXHwgYS6PyZ68EIKhTJogStarWybpj1R
yez5a/MlFw0=
=le0b
-----END PGP SIGNATURE-----
--
Fran Litterio                   franl@centerline.com (617-498-3255)
CenterLine Software             http://draco.centerline.com:8080/~franl/
Cambridge, MA, USA 02138-1110   PGP public key id: 1270EA1D





Thread