key-signing for pseudonyms

Atom 'Smasher' atom-gpg at suspicious.org
Mon May 17 03:31:17 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 16 May 2004, Greg Sabino Mullane wrote:
> I probably would not sign the key of someone who had only signed it with
> a pseudonym, as a couple of forms of picture IDs (esp. government-issued)
> are usually a minimal requirement for me.
>
> As far as the email, perhaps it should be mentioned stronger in the
> documentation, but how else are you going to get the signed key
> back to the person? I always do this by email - if they don't control
> the email, they don't get my signature on their key*. Some people upload
> keys automatically to a keyserver after signing of course, but this
> is not only rude (if the recipient does not want their key put there)
> but dangerous, as it bypasses the email check.
=========================

that, too, should be made more explicit in the how-to guides. they tend to
range from instructing people to "sign the key and then you're done", to
"upload the signed key to a key-server."


> > in any case, i'm still looking for suggestions on proving a
> > pseudononymous identity....
>
> I think the best you can get is an email validation. There is little
> else that can be proved or disproved if the rest of the uid is
> just an arbitrary name with no real-world connection. Maybe if
> you had an ID with "Adam S. Masher"? :)
=======================

what if i was personally introduced to you as "atom smasher"? what if i
was introduced by someone who we've both personally known for years? what
if i was speaking at a conference, and identified as "atom smasher"?

assuming that you don't have any faith in who i claim to be (which is up
to you: i have to admit, i am suspicious), would you sign a key based only
on verification of an email address? would you sign it as:
 * "I have not checked at all (1)"?
 * "I have done casual checking (2)"?
 * "I will not answer (0)"?
would you use a unique policy-url to describe the conditions under which
the key was signed? what might it say?

i'm not trying to put you under the spotlight or prove you wrong; nor do i
think there are any "wrong" answers. i'm trying to provoke the exchange of
ideas on how to solve this real-world problem... i'd actually like to hear
from anyone who can explain an answer that makes sense to them.


> * Nor do they get it unless they sign mine as well!
=======================

~someone~ has to go first, right?


	...atom

 _________________________________________
 PGP key - http://atom.smasher.org/pgp.txt
 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
 -------------------------------------------------

	"Reality is that which, when you stop believing in it,
	 doesn't go away."
		-- Philip K. Dick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish?  -  http://atom.smasher.org/links/#digital_signatures

iEYEARECAAYFAkCoFeoACgkQnCgLvz19QeMSuACfU62SRV3cvYHB9rXOv9Mtdgc/
LPoAnjiy/pIgcqmyzhdfiAHJsKTwkT57
=VPxK
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list