From: eric@remailer.net (Eric Hughes)
To: cypherpunks@toad.com
Message Hash: 550402b1d46b57b22f089e241f6575a38872616b3d997268c7f3c663419dcbc5
Message ID: <199412021609.IAA15568@largo.remailer.net>
Reply To: <9412021408.AA21731@yeti.bsnet>
UTC Datetime: 1994-12-02 15:11:10 UTC
Raw Date: Fri, 2 Dec 94 07:11:10 PST
From: eric@remailer.net (Eric Hughes)
Date: Fri, 2 Dec 94 07:11:10 PST
To: cypherpunks@toad.com
Subject: Re: Cypherpunks@hks.net service
In-Reply-To: <9412021408.AA21731@yeti.bsnet>
Message-ID: <199412021609.IAA15568@largo.remailer.net>
MIME-Version: 1.0
Content-Type: text/plain
From: dmandl@bear.com
What's next, automated key-signing
services?
Yep.
There are two purposes to signing a key. The first is to fix a bit
pattern and have an assurance that it hasn't changed. The second is
to attest to the mapping between a key and some entity.
PGP, for example, very explicitly does both. It asks you when you
sign a key if you're sure that the person is who is advertised. I
consider this behavior broken, not the least because it's hostile to
pseudonymity. This hardcoded policy hinders the use of PGP in other
contexts.
For email-only social contact (i.e. legally uninvolved) the
attestations of personal mapping are unnecessary and sometimes
downright undesirable. Some people may want them, true, and there
will be a need for that mechanism, but it should not be the only
choice available.
An automated key-signing server can affix a sequence of bits perfectly
adequately. So can digital timestamping algorithms, but they are not
generally available. Suppose the existence of just two auto-signing
servers. I, a pseudonym, send my key to each of these servers and get
back a two signatures on my key. It is unlikely now that someone can
spoof my key. The distribution for the signing keys of these servers
must be done right, but since there are fewer auto-signing servers
than things signed, more effort can be taken to do this, for example,
by publishing some hashcodes in a book.
Eric
Return to December 1994
Return to “eric@remailer.net (Eric Hughes)”