key-signing for pseudonyms

Tue May 18 17:07:08 CEST 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 18 May 2004, Mark H. Wood wrote:

> On Mon, 17 May 2004, Atom 'Smasher' wrote:
> [snip]
> > i think the issue of identity is shady for anyone who we don't ~really~
> > know... someone's name could ~really~ be "george w bush", and they could
> > really have the ID to prove it... that doesn't mean they're *the* george w
> > bush. if this is someone i know, i'd sign the key. if this is someone i
> > don't know, i'd be suspicious... they could be an impostor.
>
> Exactly!  What does a given label *mean*, and does it help you establish
> the relationship you consider to be "identity" for your particular
> purpose?  I did a search a few years back and found three other guys in my
> home town alone who are named Mark Wood.  One even has my middle initial.
>
> Say someone is in the Witness Protection Program.  You've checked out his
> name and other details, and it all matches his records.  Have you
> identified him or not?  It depends on what you want to know.
>
> I think that before we ask how we can identify someone, we need to ask
> ourselves, "what do I mean by 'identify'?"
=============================

the more i ponder this, the closer i come to this conclusion...

a name is a social construct that works well in small groups. in large
groups, it will tend to have a high failure rate in uniquely identifying a
person. despite it's failings in a social context, the construct has been
largely adopted 'as-is' as a legal construct, with nearly all of it's
failure original modes left intact, and some new failure modes created in
the process.

here in the states, civil judgments ("a" sues "b" for $x) are often
entered using only a persons name... this *frequently* results in people
having their credit screwed up because someone with the same (or very
similar) name owes money. if the courts can't get that straight, how can
we be expected to?

there must not be any anarchists on the list... thinking about this
problem from an anarchist perspective, one might conclude that verifying a
person's identity "serves the state" and is therefore bad. i suppose this
was hinted at since it creates a database of "who knows who".

email addresses are more likely than names to be a unique identifier, but
a person is (typically) more likely to keep their name for the duration of
their life.

all of that said, i still understand a value of verifying, to the best of
one's abilities, that a person is who they claim to be before signing
their key... it's just that proving a name can't always be the most
important thing in that verification process...

of the three checks that a person can do before signing, maybe that
[verifying the name] is important in *some* settings... maybe email
address is most important in *some* settings... maybe, in some settings,
verifying the fingerprint is the best we can hope for... the hard part
then, is establishing guidelines that are generally agreed on in regards
to key-signing... under what conditions do we assign different priorities
to different methods of establishing identity? the current documentation
on key-signing tends to share the same faults repeated in many places, so
this is a great opportunity to "rewrite the book", as they say....

now, if we can only figure out how to rewrite it...

	...atom

 _________________________________________
 PGP key - http://atom.smasher.org/pgp.txt
 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
 -------------------------------------------------

	"Those who profess to favor freedom, and yet deprecate
	 agitation, are men who want rain without thunder and
	 lightning.  They want the ocean without the roar of
	 its many waters."
		-- Frederick Douglass
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish?  -  http://atom.smasher.org/links/#digital_signatures

iEYEARECAAYFAkCqJqMACgkQnCgLvz19QeNl1gCfZy0DfZUFHXp6duxN9HENPJtf
tOIAn1X3b+udjr4oHYSwomgka91SF1Gs
=iXaA
-----END PGP SIGNATURE-----