key-signing for pseudonyms
atom-gpg at suspicious.org
Mon May 17 00:35:18 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Sun, 16 May 2004, Chris Fox wrote:
> Atom 'Smasher' wrote:
> > i'll re-read through it tonight. are there any particular parts in
> > particular that apply to our thread? the problem remains a social problem,
> > not a computer problem.
> Gotcha. Well, as long as it's only a case of simple personal
> authentication and not the evasion of a major government's dedicated
> intrusion attempts, I'd say do the confirmation over the telephone. You
> can do PK key exchange through public channels and verify authenticity
> with a phone call. It's not like ordinary individuals have networks of
> spies and spoofing servers at hand.
voice authentication works for people we know... my brother and i
confirmed each others keys by reading the fingerprints over the phone (his
key isn't in circulation, so there was no point in signing each others
keys). that would be a tough thing to spoof, since we've known each other
for quite a while ;)
at the other extreme, there are a few people here that i've been chatting
with off list, but having never met them, i would not sign their keys over
using myself as an example, let's say i don't have any formal ID that
identifies me as "atom smasher" (whether or not i do is not a factor...
let's just say i don't). of course, some people have known me as "atom
smasher" for years, but most of them don't use pgp (so they don't count).
so, if i'm at a conference and i want to exchange key signatures with
people, i can prove that i currently control this email address and key by
sending some secrets back and forth.... not a problem... but if i want to
"prove" that i'm atom smasher...?? that could be tough....
and the weird thing is that the key-signing how-to guides go into detail
about verifying the fingerprint and name... that's only 2/3 of identifying
a key! in my situation, i can easily confirm 2/3 (email and fingerprint),
but it's not the 2/3 that most people are trained to look for.
is 2/3 good enough? should people sign my key if i prove my email address
and fingerprint are correct? or should the how-to guides be updated to
recognize that 1/3 of the identification process is currently missing?
in any case, i'm still looking for suggestions on proving a pseudononymous
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
"Until humankind opts for harmony with nature, over
domination, oneness over otherness, the seasons of
death and destruction will only escalate."
-- Mumia Abu-Jamal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures
-----END PGP SIGNATURE-----
More information about the Gnupg-users