key-signing for pseudonyms

Jeff Fisher jeff+gnupg at jeffenstein.org
Mon May 17 22:55:34 CEST 2004


On Mon, May 17, 2004 at 08:10:45PM +0200, Thomas Sj?gren wrote:
> On Mon, May 17, 2004 at 06:43:47PM +0200, Jeff Fisher wrote:
> > Just my opinion (or the circles I travel in), but growing up in the US, almost
> > everybody personally knows one or two people who have a fake ID for getting
> > into bars under the legal drinking age.  Often these are legal ID's, issued by
> > the state, with falsified information.  For the truly paranoid, several of the
> > 9/11 terrorists had valid US drivers licences, as US citizens.
>  
> You're absolutely right, but what are the alternatives? 
> Yes, only signing keys for people you have known for 15 years is an
> option, but it's not really practical. In the end, it's all up to you
> and your paranoia level who or what you want to sign.

(Not neccesarily a reply to this e-mail, just continuing my train of
thought...)

Perhaps I'm off into the mad rantings, but my thoughts are that the real
name is 1) difficult to reliably verify, because 2) it can be relatively
easily faked, 3) is not unique, 4) may not be important as generally you
know the person by their e-mail address or internet persona, at least for
people you meet at a keysigning party.

However, it is this piece of dubious information (the real name) that is
stressed in the key-signing party literature, in preference to the e-mail
address.  The only reference to verifying the e-mail address that I can
find is in the gpg man page under default-cert-check-level (and on this
mailing list).  Someone who's not on this list would not neccessarily see
the importance of verifying the e-mail address, as I didn't until I
subscribed myself.

I'm open to be convinced that the real name is more important or as
important as the e-mail address, but all I've seen so far is that it's
more important, but not why it is more important.  Granted, it's
a bad idea to sign a key in a name that the owner does not use, but I
don't see the problem in signing a key wih a pseudonym or alias, so long
as that is how I know the person behind the key.

Anyway, that's my thoughts, and, as the documentation says, it's up to the
individual to decide what constitutes verifying the information in the uid
before signing.  

I'd better stop now before I've beaten the dead horse too much...

-- 
jeff at jeffenstein.org                  http://www.jeffenstein.org/
Life's too short to dance with ugly women.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 793 bytes
Desc: not available
Url : /pipermail/attachments/20040517/9866b032/attachment-0001.bin


More information about the Gnupg-users mailing list