"just invent something..."

Ángel angel at pgp.16bits.net
Mon May 25 04:56:01 CEST 2020 

On 2020-05-24 at 00:14 -0400, Robert J. Hansen wrote:
> > I see a big hole in the validation part. The steps providex are
> > validating the offline identity but not matching it to the certificate
> > uid.
> 
> Correct, and that's by design.
> 
> There is no -- *NO* -- generally understood meaning for user IDs beyond
> "the name here is a meaningful term of address for an individual or
> individuals who control this email address".
> 
> Many years ago I was in Germany and tried to persuade a friend of mine
> to do the hard right thing as opposed to the easy wrong thing.  She
> rolled her eyes at me and declared "du bist Rob, der Ritter".  ("You're
> Rob, the knight.")  She was attempting to be sarcastic.  Bystanders
> misheard her as "du bist ein Raubritter" and a new nickname for me was
> born.[1]
> 
> So let's say I give you my ID and you're one of these people who knows
> me as Raubritter.  Would you sign raubritter at sixdemonbag.org?  Probably.
>  Should you?  Sure, why not?  You know there's a specific person, me,
> who answers that email address and you know exactly who I am in the eyes
> of the law, thanks to seeing my ID.
> 
> So why shouldn't you sign a pseudonym, if you know the pseudonym maps to
> an individual person?  And if you're going to sign a pseudonym, why not
> sign donald_trump at sixdemonbag.org if you happen to know there's a person
> or persons at that domain which answer to that name?
> 
> 
> 
> [1] This was thirty years ago.  Words tend to change their cultural and
> slang meanings over the years.  I don't know what the current
> implications of "Raubritter" are, and for that reason I don't use it or
> advertise it to others... but yeah, there are people who have known me
> for thirty years who still call me that.

I tried to cover that with
> unless it is the name he goes by in certain circles

The point is, if I met you as Raubritter, a government-issued id showing
a different name is unlikely to help.

Similarly, I remember a blog post written by Skud during the Nym wars,
where it was mentioned that being presented in conferences under the
legal name ‘Kirrily Robert’ tended to cause confusion. [1]


Of course, this leads to question if it would ever help to see such id.
I do think it can be helpful. There are cases where the other party is
known to use their legal name. Seeing an official id, and assuming it is
a legit one (would you correctly detect a fake id? even from a foreign
country?), doesn't stop that an impostor could appear with a valid id on
that name  (just like dealing with stripe doesn't mean it's the company
you really mean to [2], or you could live on many Bostons), but it
should restrict the odds somehow, by filtering the possibilities.
Remember, if we know the legal name beforehand (e.g. when verifying a
university email address, a tenured professor is unlikely _not_ to be
using their legal name, although publishing means that naming in
academia isn't straightforward either [3])

For online identities, a TOFU approach would probably work better. You
would want to link the identity with its good or bad interactions to the
cryptographic identity, regardless if who makes them is named Rob or
Dogbert.


For people you personally know -whatever the name-, you are probably
comfortable signing whatever name they used on their key, that's likely
how you know them and you may remember them.

However, that doesn't help much if you wanted t benefit from the WoT, as
the naming gets messy adding intermediate nodes between people.


Also, there are too many meanings given to a key signature. I would like
to have a standard set of notations with common meanings, so (in some
subset) we could all agree on what was meant.


Now, this is all quite complex to properly explain in a small FAQ entry,
focused to new users, and still be understood, I'm afraid.



Best regards




PS: I am no German speaker, so I have no idea what Raubritters are. Or
what would that term be used for 30 years ago, fwiw.



1- That site has fallen out of the internet and took a while to dig it
out, but I finally found it at
https://web.archive.org/web/20111115190646/http://infotrope.net/bio/my-name/
for the background on the why for that page see 
https://web.archive.org/web/20121213001724/http://infotrope.net/2011/07/22/ive-been-suspended-from-google-plus/
2- https://scotthelme.co.uk/the-power-to-revoke-lies-with-the-ca/
3- https://academia.stackexchange.com/questions/tagged/personal-name

More information about the Gnupg-users mailing list