key-signing for pseudonyms

Atom 'Smasher' atom-gpg at
Mon May 17 00:35:18 CEST 2004

Hash: SHA1

On Sun, 16 May 2004, Chris Fox wrote:
> Atom 'Smasher' wrote:

> > i'll re-read through it tonight. are there any particular parts in
> > particular that apply to our thread? the problem remains a social problem,
> > not a computer problem.
> Gotcha.  Well, as long as it's only a case of simple personal
> authentication  and not the evasion of a major government's dedicated
> intrusion attempts, I'd say do the confirmation over the telephone.  You
> can do PK key exchange through public channels and verify authenticity
> with a phone call.  It's not like ordinary individuals have networks of
> spies and spoofing servers at hand.

voice authentication works for people we know... my brother and i
confirmed each others keys by reading the fingerprints over the phone (his
key isn't in circulation, so there was no point in signing each others
keys). that would be a tough thing to spoof, since we've known each other
for quite a while ;)

at the other extreme, there are a few people here that i've been chatting
with off list, but having never met them, i would not sign their keys over
the phone.

using myself as an example, let's say i don't have any formal ID that
identifies me as "atom smasher" (whether or not i do is not a factor...
let's just say i don't). of course, some people have known me as "atom
smasher" for years, but most of them don't use pgp (so they don't count).

so, if i'm at a conference and i want to exchange key signatures with
people, i can prove that i currently control this email address and key by
sending some secrets back and forth.... not a problem... but if i want to
"prove" that i'm atom smasher...?? that could be tough....

and the weird thing is that the key-signing how-to guides go into detail
about verifying the fingerprint and name... that's only 2/3 of identifying
a key! in my situation, i can easily confirm 2/3 (email and fingerprint),
but it's not the 2/3 that most people are trained to look for.

is 2/3 good enough? should people sign my key if i prove my email address
and fingerprint are correct? or should the how-to guides be updated to
recognize that 1/3 of the identification process is currently missing?

in any case, i'm still looking for suggestions on proving a pseudononymous


 PGP key -
 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808

	"Until humankind opts for harmony with nature, over
	 domination, oneness over otherness, the seasons of
	 death and destruction will only escalate."
                -- Mumia Abu-Jamal
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish?  -


More information about the Gnupg-users mailing list