1994-10-06 - Re: Nom de guerre public key

Header Data

From: Joe Thomas <jthomas@access.digex.net>
To: Fran Litterio <franl@centerline.com>
Message Hash: f99f6e3d81b21d5a75c23afd242c29aebcf2a475b46b19e4218e80c6d9ff019b
Message ID: <Pine.SUN.3.90.941005223602.27984A-100000@access3.digex.net>
Reply To: <FRANL.94Oct5141756@draco.centerline.com>
UTC Datetime: 1994-10-06 02:51:17 UTC
Raw Date: Wed, 5 Oct 94 19:51:17 PDT

Raw message

From: Joe Thomas <jthomas@access.digex.net>
Date: Wed, 5 Oct 94 19:51:17 PDT
To: Fran Litterio <franl@centerline.com>
Subject: Re: Nom de guerre public key
In-Reply-To: <FRANL.94Oct5141756@draco.centerline.com>
Message-ID: <Pine.SUN.3.90.941005223602.27984A-100000@access3.digex.net>
MIME-Version: 1.0
Content-Type: text/plain


On 5 Oct 1994, Fran Litterio wrote:

> >    That's part of it, but the more important binding created by a
> >    signature is the binding between the userid and the real person.
> >    Without that binding, the binding between the key and the userid is
> >    useless.
> 
> I would not sign a pseydonymous entity's key based soley on the
> reputation of the entity.  How do I defend against a man-in-the-middle
> attack -- how do I know I'm not signing the middle-man's key instead
> of the entity's key?

> I'm all in favor of pseudonymous entities building reputations, but I
> think that the price of pseudonymity is the inability to be part of a
> PGP-like Web of Trust.

I probably ought to get out of lurk mode here, since my signature can be 
found on the key of one of the more prominent pseudonyms on the list, 
Black Unicorn.  I met Uni briefly at one of the (two) D.C. area 
cypherpunks meetings, last spring.  I didn't check his ID.  For all his 
reluctance to give his name here, he did, as I recall, attempt to give it at 
at the meeting.  (Pat Farrell was trying to draw a seating chart so we'd 
know what to call each other, but he had trouble spelling Uni's 
name.)

I guess it could have been an impostor at the meeting, but enough 
of the details seemed to match up that I didn't have any doubts about 
him.  And I've probably got enough information from his posts, and my 
hazy recollection of his first name, to find out who he is, if I felt 
like it.

I guess my point is that key signing doesn't always fit into one 
particular category, one that requires a drivers license or passport.  
That (or personal knowledge of the person) is the most secure method for 
keys that are clearly bound to a specific person, but it's not the only 
way things are done.

Joe





Thread