key question

David Shaw dshaw at jabberwocky.com
Sun Feb 28 21:29:32 CET 2010


On Feb 27, 2010, at 4:54 PM, Grant Olson wrote:

> Doh!  Originally sent off list...  Maybe Robert got a psychic vibe...
> 
> On 2/27/2010 2:21 PM, MFPA wrote:
>> 
>> I don't want such a vote. Whether somebody chooses to include an email
>> address in their UID is up to the individual. I have not seen anything
>> that convinces me it is better for me to include one.
>> 
>> 
> 
> It sounds like you're using the software to do the opposite thing that
> many people do.  I think digital signatures are utilized much more than
> encrypted communication.

Yes.

>  And digital signatures are about
> authenticating to a real person, and not anonymity.

No.  Many (most?) digital signatures are used to authenticate a system, rather than a real person.  For an OpenPGP-specific example, it is widely used to authenticate software packages, both when distributed as source, and also built-in to things like RPM for distributing binaries.  Outside of OpenPGP, there is SSL, etc.

> If you don't want to publish your email for the anonymity/privacy
> reasons you've outlined, then you probably don't want to use your legal
> name either.  And it looks like you don't.  Which is fine for encrypting
> documents.  But it renders two key features of digital signatures
> meaningless.  Authentication and Non-repudiation go out the window.  How
> do I authenticate that an anonymous entity is really an anonymous
> entity?

It's not used in the same way, but it is far from meaningless.  You may not know who MFPA is, but if MFPA signs his messages (as he does), you can verify that the pseudonymous entity MFPA that you were speaking with yesterday is still the same pseudonymous entity MFPA you are speaking with today.

> Lets assume among your circle of friends, who know each other personally
> in real life, you sign off on each others keys.  And I somehow know one
> of your friends, and we sign each others keys.  To me, it's a
> meaningless assertion for someone to claim that they've verified that
> you're the real MFPA.  That doesn't mean anything to me because you're
> anonymous to me.  It also doesn't mean anything if you've signed off on
> someone's key.  What does it mean to me that MFPA vouched for someone
> else's identity?  Another meaningless assertion.

That isn't how the web of trust works.  Well, it *can* work that way for you, since you can choose who to trust and who not to, but that's not the information encoded in there.  I "know" dozens of people on the net.  I've exchanged encrypted mail with them, I've worked with them, in some case for years... and I've never met them in person.  For all I know, they're actually a group of people sharing the same email address and using a name that looks like a real one, and not obviously pseudonymous like MFPA.

Think about what it really means in the web of trust when you see a signature.  The signature only maps back to a real person indirectly.

David




More information about the Gnupg-users mailing list