key-signing for pseudonyms
Jeff Fisher
jeff+gnupg at jeffenstein.org
Mon May 17 23:31:47 CEST 2004
On Mon, May 17, 2004 at 10:55:34PM +0200, Jeff Fisher wrote:
>
> I'm open to be convinced that the real name is more important or as
> important as the e-mail address, but all I've seen so far is that it's
> more important, but not why it is more important. Granted, it's
> a bad idea to sign a key in a name that the owner does not use, but I
> don't see the problem in signing a key wih a pseudonym or alias, so long
> as that is how I know the person behind the key.
Bad form to reply to myself, but, as Murphy is my co-pilot, I forgot to
mention verifying the fingerprint out-of-band remains important.
Just to go off on another tangent... Would distributing one or more
challenges/responses at a key-signing party, either as a group or one on one
add to the security? The challenges/responses would later be verified by
e-mail, there would need to be at least one for the group, or one for each
person present, and it would need to be worked out who would send the
challenge and who would send the response for each key that you plan on
signing.
By being present, you've verified that the person has the fingerprint to a
particular key, but as I'm not trusting that thier real name is correct (or
allowing for pseudonyms), this would verify that the person who is at the
party actually has control of that key. This wouldn't replace a seperate
challenge/response sent to each e-mail address to verify that the e-mail is
valid, but supplement it as a check to see if the person was physically
present. It doesn't open any more holes (that I can see) than the possibility
of fake id's, and would close the loophole (for me, at least) that the person
was physically present at the key-signing party.
Can anybody see a loophole in this that doesn't already exist?
Another option could be stressing the photo ID on a key, but it seems that
very few people seem to do this at the moment.
Perhaps the above is already done by some people, but once again, does not
seem to be in the literature, so I'm appealing to the list.
>
> I'd better stop now before I've beaten the dead horse too much...
Well, one more lash...
--
jeff at jeffenstein.org http://www.jeffenstein.org/
One thing the inventors can't seem to
get the bugs out of is fresh paint.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 793 bytes
Desc: not available
Url : /pipermail/attachments/20040517/554e16f1/attachment.bin
More information about the Gnupg-users
mailing list