gpg for anonymous users - Alternative to the web of trust?

Forlasanto forlasanto at gmail.com
Fri Mar 29 17:41:51 CET 2013 

On 3/29/2013 9:38 AM, adrelanos wrote:
>> Forgive me for saying so, but for something as high-profile as a linux
>> distro, using a pseudonym for signing the distro for the sake of
>> anonymity doesn't sound like a great plan.
> What's the alternative? Using my real identity? Does it make it any safer?
Using your real identity would be the alternative. The trade-off is
easier key signatures vs. identity obscurity. It would only be safer in
the sense that there won't be a scandal when/if your identity is
uncovered. Odds are, it won't be a big deal to many people,
realistically--but you never know what the future holds, right? As long
as you are comfortable with any possible future implications, then go
for it.

>
> I am more interested in development and documentation rather than
> building binaries, testing and uploading. Having deterministic builds
> and/or some creditable individual or organization (such as eff) creating
> binaries, signing an distributing more than welcome, but at the moment
> there is no implication that someone will step forward.
>

The web of trust is simply a conventional way for people to judge how
trustworthy your key is. Nothing more, nothing less. If you can
establish that trust some other way, then don't worry so much about the
web of trust. That's my opinion. No one is going to beat down your door
to sign your key, you'll have to ask them to do so. You can go to
key-signing parties and explain that your only purpose for the key is
signing the distro, and you'll probably get a few takers. The
alternative is, have an online keysigning party with all of the
developers of your distro, and everybody signs everyone else's key.

Or alternately you, as the distro manager, sign the keys of all your
lieutenants, and then they sign yours, plus all of their subordinates.
Then your key signatures would match your chain of command, and it would
actually work the way a web of trust is supposed to work. (that is, even
though you might not know their subordinates, you trust your
lieutenant's signatures, and therefore can consider their subordinates'
keys to be valid.) At that point, as far as  the outside world is
concerned, you are deeply connected to the project, and it is reasonable
to trust that your key is valid, within it's context. And /within/ the
distro's community, your key would be pretty solidly trusted, I'd say.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130329/74c20d4a/attachment-0001.html>

More information about the Gnupg-users mailing list