gpg for pseudonymous users

mirimir mirimir at riseup.net
Sun Apr 7 18:59:14 CEST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/07/2013 02:19 PM, Daniel Kahn Gillmor wrote:

<snip>

> But let's bring this discussion back out of the metaphysical 
> territory of "what is the true nature of identity".   In response
> to adrelanos' question, I tried to give an example of what sort of 
> non-government-issued evidence a cautious and open-minded
> individual might consider.  What evidence are you willing to
> consider to establish belief in someone's identity?

Perhaps it's misleading to focus on the pseudonym "adrelanos". For me,
what's important is knowing that all Whonix releases come from the
same source (person, collective, etc).

Having an email address associated with the whonix-signing key
provides some assurance that support requests and bug reports are
going to the right place. It's also useful to know that the adrelanos
on this list is the Whonix signer at adrelanos at riseup.net with gnupg
key fingerprint "9B15 7153 925C 303A 4225 3AFB 9C13 1AD3 713A AEEF".

Over time, with ongoing peer review, "Whonix signer" aka adrelanos
develops a reputation for releasing useful and malware-free software,
for promptly patching all reported vulnerabilities, and so on. If
malware were found in Whonix, the reputation would diminish.

Peer-verified reputation is crucial in many contexts, especially where
government-issued identification is unworkable. Even so, that's not
enough, because most participants lack the necessary information and
expertise.

Also, reputation is not simply one-dimensional. If verifiable evidence
were presented linking Whonix/adrelanos to some organization or cause,
that might decrease adrelanos' reputation among some, and increase it
among others. Reputation is also multidimensional in other ways (e.g.,
expertise, financial integrity, on-time delivery and discretion).

Trusted third parties manage peer-verified reputation in particular
contexts. For example, Onionland marketplaces manage the reputations
of their sellers and buyers, whose accounts are linked to their gnupg
keys. There are also brokers that manage reputation more broadly.

Expecting gnupg to handle all that might be unrealistic. Multiple
trust parameters would be required, and consistent use in multiple
contexts would be difficult or impossible to enforce. But gnupg keys
can serve as the index for reputation data.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBAgAGBQJRYaXfAAoJEGINZVEXwuQ+4fMH/RwIQjl2BALgK+lusxU7IOLg
8suRwH56ae68G5PBtLuXwHkQU6l/6ra0Q05j48uopdTJs+Vsre8NK8HfNVyf9UCK
9Yx/2JmWFSnpuA7Swd/yH7QdAs3EqHfxr+pesrDrKuTY5cZwM/jxgZQOXaDcnMfn
4lv4kS/WWwIEBxYhTS3wj8FYVUx5TT1BOFe/uupgbKAACj1LAJwNTOukj6NRT8RG
bDBa7ir72hu4Oll4BS+uNNqRWcIMhdcHXLBVCLy1fL1/moKwoP4nazM3RAs7NlzE
Z7yKcBhh63E5mj7KHfTwo55q+dtkEqMg1h6HGdACmCAJXjr/CzbemkH8J8ahc+c=
=R89X
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list