key-signing for pseudonyms
atom at suspicious.org
Mon May 17 21:46:04 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 17 May 2004, Jeff Fisher wrote:
> Even if the document is faked, do you know the anti-counterfiet measures for
> the passports in more than a couple countries? Who's a paranoid guy to trust?
and here in the states, we tend to consider a drivers license valid ID...
each of the 50 states (not including territories) has their own license,
each of which has different strengths and weaknesses in proving validity.
at least one state (NJ) even offers a license without a photo!
bartenders have a book that lists each state's license and how to spot
fakes. my point isn't that there is such a book, but rather that there
needs to be such a book. i have heard many stories of people traveling
from one state to another and having their ~real~ IDs considered fake.
> Maybe the solution to the original problem is to get a passport that says
> "Atom Smasher" as the name. ;-)
hehehe... no comment... ;)
> I guess I'm in the minority here, but I'd consider the name to be the least
> important bit of information in the user id, as it is the most easily
> faked. Granted, most people do not have fake id's, and the value of faking
> a name for a pgp key is dubious, but IMO the only way to really trust the
> name is to know someone personally, or have trust in somebody who does know
> them personally. This is something you won't get at a keysigning party.
this ~is~ something you'd get, however, if a mutual long-time friend
introduces me as "atom smasher".
> Having a photo uid (as was suggested in the previous thread) may be an option,
> but doesn't add any weight to the real name on the key. Counterfeit documents
> can have any photo, and faked documents will of course match the person who
> supplied the false information.
i used to know a few people who got their fake IDs by using their older
brother/sister's birth certificate and claiming their license was lost...
for a small fee ($5?) they could get a new license with their picture on
it... nothing could be better for getting into bars!
> It's also possible to fake an e-mail address by intercepting the traffic or
> hacking into an e-mail server, but in my experience, this is limited to a
> much smaller group of people capable of such feats, and not likely to go
> undetected for long.
in which case, it may be prudent to verify the email address twice, over a
period of time?
> With the e-mail address, if your mail server is comprimised you are open to
> mitm attacks, but this would be almost impossible if the fingerprint is
> exchanged using another means. So, a combination of fingerprint and e-mail
> is likely to get you the right person, but the name stands alone, without a
> secondary means to verify it such as a mutual aquaintance.
> Just to add a bit more paranoia, at least in the US, there are books about
> changing your identity for whatever reason, and someone who has done this
> would have many people who only know them as the new name they have chosen.
> So maybe even vouching for someone isn't sure, or maybe the real name is just
> not a solid enough piece of information any longer. It all comes down to a
> leap of faith to actually trust the real name on a key. Even celebrities are
> not exempt. How many actors and singers go by stage names? Is it even
> relevant to know the real name of the person in these cases, as they are
> effectively know by their fake name?
> Of course, this could all just be the mad rantings of a bitter, paranoid
> old man...
or someone who looks at these things through a suspicious lens... which
can be healthy....
in any case, you're taking the lead for challenging the conventional
key-signing wisdom in a well thought, well articulated way.
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
"Poor people have access to the courts in the same
sense that the Christians had access to the lions."
-- Judge Earl Johnson, Jr.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures
-----END PGP SIGNATURE-----
More information about the Gnupg-users