key-signing for pseudonyms

Thomas Sjögren thomas at northernsecurity.net
Tue May 18 15:20:17 CEST 2004


On Mon, May 17, 2004 at 10:55:34PM +0200, Jeff Fisher wrote:
> Perhaps I'm off into the mad rantings, 

This is actually a very good rant, identification and trust is probably
the hardest part of GPG.

> but my thoughts are that the real
> name is 1) difficult to reliably verify, because 2) it can be relatively
> easily faked, 3) is not unique, 4) may not be important as generally you
> know the person by their e-mail address or internet persona, at least for
> people you meet at a keysigning party.

You're right, but as mentioned before the name is only 1/3 of the identification
process. If one of the three "steps" (photo-id, key fingerprint, email) isn't valid
or impossible to perform the signature doesnt end up on the key.
If the id doesnt match the person and/or the name on the key; no
signature.
If the key fingerprint isnt correct; no signature.
If the two steps above is accepted, you mail the signed key to the
uid:s email adress in a encrypted and signed mail. It the email adress isnt valid; no
signature.

> However, it is this piece of dubious information (the real name) that is
> stressed in the key-signing party literature, in preference to the e-mail
> address.  The only reference to verifying the e-mail address that I can
> find is in the gpg man page under default-cert-check-level (and on this
> mailing list).  Someone who's not on this list would not neccessarily see
> the importance of verifying the e-mail address, as I didn't until I
> subscribed myself.

Yes, and as Atom wrote in a previous mail, the literature needs to be
somewhat updated.

> I'm open to be convinced that the real name is more important or as
> important as the e-mail address, but all I've seen so far is that it's
> more important, but not why it is more important.  Granted, it's
> a bad idea to sign a key in a name that the owner does not use, but I
> don't see the problem in signing a key wih a pseudonym or alias, so long
> as that is how I know the person behind the key.

Real names makes it easiler to identify a person with the help of
id-cards. sure, id-cards can be copied, falsified and so on, but at the
moment i see no real alternatives (sorry to say).

If you know the person behind the key, there is no problem.

/Thomas
-- 
== thomas at northernsecurity.net | thomas at se.linux.org
== Encrypted e-mails preferred | GPG KeyID: 114AA85C
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
Url : /pipermail/attachments/20040518/815fed77/attachment.bin


More information about the Gnupg-users mailing list