gpg for pseudonymous users [was: Re: gpg for anonymous users - Alternative to the web of trust?]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Mar 29 18:30:48 CET 2013 

I've changed the subject line to indicate that this thread is about
establishing a pseudonym, *not* about anonymous users.  This is a subtle
but important difference.

On 03/29/2013 12:41 PM, Forlasanto wrote:

> The web of trust is simply a conventional way for people to judge how
> trustworthy your key is. Nothing more, nothing less.

I'm afraid that the term "web of trust" tends to lead people into
misunderstandings about what this network of public identity
certifications does.

These certifications do *not* imply trustworthiness of the people who
hold the keys, and it doesn't make much sense to speak of a given key
being "trustworthy" on its own -- what would you trust it to do?

Rather, the system provides a way to determine the publicly-stated
identities associated with each key.

------------

For a pseudonymous author who wants to establish a credible claim to a
given identity, one way would be to encourage the people who have been
following the work of that author to certify the key.  In that case, how
would they know it's the right one?  This is a shade different from
other scenarios, but if, for example, if i had been using tool X for 5
years, and had been corresponding with the author (e.g. bug reports,
thank you notes, feedback, etc) over that time and all the
communications and versions of the tool that i received consistently
demonstrated that the person on the other end had control of the key in
question, i would have no problem certifying that identity.

However, the original poster can't quite ask all her long-standing users
to sign her key publicly, because her users by definition are interested
in retaining their own anonymity, and signing the key of a pseudonymous
author of anonymity-providing tools can draw unwelcome attention to the
signer.

So i think the original poster's best bet is to contact well-known
anonymity and privacy advocates (who are not themselves anonymous or
pseudonymous) and encourage them to follow and engage with her work.
This can be done by participating in relevant online communities (like
this one), providing constructive feedback to other projects, making
sure your work is useful, etc.  When these relationships are
well-established, the original poster could approach her non-anonymous
peers, and ask them to publicly certify her OpenPGP key.

I'm an example of a non-anonymous advocate for private and anonymous
communication; there are probably others on this mailing list.  However,
i have never heard of the original poster or her project before this
thread, and i don't have the time right now to review or follow the
project, so i'm not the best candidate for this particular engagement.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130329/97680958/attachment.sig>

More information about the Gnupg-users mailing list