The disadvantages of online KSP

[Atom 'Smasher']

On Sat, 25 Dec 2004, Ben Branders wrote:

> Yes, of course. But even if you do meet them in real life, how can you 
> ever be sure? If, for example, someone uses a nickname for his 
> e-mailadres and his key, how can you check if he really 'owns' that 
> nickname.
>
> Suppose I know someone with the nickname X2. I also know that there is a 
> key signing party next week. I make a new e-mailaccount, x2 at mail.com. 
> Then I generate a key for that account, but instead of typing my name, I 
> use 'X2' (which is of course the nickname of someone else).
>
> I go to the KSP and someone wants to sign my key. Although he can check 
> my identity, he can't know if X2 is my real nickname or not...
=======================

it makes no difference whether they're using a real name or pseudonym, if 
someone wants me to sign their key they have to *PROVE* to my satisfaction 
that they are who they claim to be. if someone is known as X2, then they 
have the same burden of proving their identity as they would if their name 
is david shaw. in either case they have to convince me that they are who 
they claim to be, although X2 may have a harder time of it than david shaw 
(i used to know someone else named david shaw). if either of them can't 
convince me that they are who they claim to be i will NOT sign their key.

i just wrote an extensive article on this topic (pgp Key Signing 
Observations - Overlooked Social and Technical Considerations) and i hope 
to see it soon in 2600, and several other publications after they break 
it. i'll also be talking about it at interz0ne 4.


-- 
         ...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"Simply stated, there is no doubt that Saddam Hussein now
 	 has weapons of mass destruction."
 		-- Dick Cheney, 26 August 2002