key-signing for pseudonyms
Atom 'Smasher'
atom-gpg at suspicious.org
Mon May 17 00:35:18 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, 16 May 2004, Chris Fox wrote:
> Atom 'Smasher' wrote:
> > i'll re-read through it tonight. are there any particular parts in
> > particular that apply to our thread? the problem remains a social problem,
> > not a computer problem.
>
> Gotcha. Well, as long as it's only a case of simple personal
> authentication and not the evasion of a major government's dedicated
> intrusion attempts, I'd say do the confirmation over the telephone. You
> can do PK key exchange through public channels and verify authenticity
> with a phone call. It's not like ordinary individuals have networks of
> spies and spoofing servers at hand.
======================================
voice authentication works for people we know... my brother and i
confirmed each others keys by reading the fingerprints over the phone (his
key isn't in circulation, so there was no point in signing each others
keys). that would be a tough thing to spoof, since we've known each other
for quite a while ;)
at the other extreme, there are a few people here that i've been chatting
with off list, but having never met them, i would not sign their keys over
the phone.
using myself as an example, let's say i don't have any formal ID that
identifies me as "atom smasher" (whether or not i do is not a factor...
let's just say i don't). of course, some people have known me as "atom
smasher" for years, but most of them don't use pgp (so they don't count).
so, if i'm at a conference and i want to exchange key signatures with
people, i can prove that i currently control this email address and key by
sending some secrets back and forth.... not a problem... but if i want to
"prove" that i'm atom smasher...?? that could be tough....
and the weird thing is that the key-signing how-to guides go into detail
about verifying the fingerprint and name... that's only 2/3 of identifying
a key! in my situation, i can easily confirm 2/3 (email and fingerprint),
but it's not the 2/3 that most people are trained to look for.
is 2/3 good enough? should people sign my key if i prove my email address
and fingerprint are correct? or should the how-to guides be updated to
recognize that 1/3 of the identification process is currently missing?
in any case, i'm still looking for suggestions on proving a pseudononymous
identity....
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Until humankind opts for harmony with nature, over
domination, oneness over otherness, the seasons of
death and destruction will only escalate."
-- Mumia Abu-Jamal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures
iEYEARECAAYFAkCn7KoACgkQnCgLvz19QeN1LgCeJBl9CO3dgmuJTqpNl95v07zA
nAYAn3+CaWWir7TvQAQs7FUX2+YNrRuq
=yLnP
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list