At 04:54 PM 6/10/03 +0100, [EMAIL PROTECTED] wrote:
>> From: David Honig 
>> Why not publish your key under a bogus name that goes no-where? 
>The answer is simple. I cannot publish a PGP under a false name, because if
>I did, who would sign it to attest that the genuinely did belong to the
>person to whom it claimed to belong? Would you?

I don't know you.  Why should I trust your signing of someone else's key?

If I know a mutual aquaintence, no need for "web of trust".

If some *random* person is writing to you, why do you, or they, care
who signed your key?  It merely provides confidentiality to the
key-holders.  It does *NOT* link your meatspace entity to your email address.

You might have separate keys (and separate emails) for each identity
you maintain.  None of which need be linked to your meatspace "true name".

In fact, you could have different identities of yours sign your other
keys, and the gullible would believe them (you)!  The eBay equivalent
is having one 'identity' give positive feedback about another 'identity',
fooling those who assume they are different physical-entities.

>If we allow this, then the entire web-of-trust disintegrates.

There *is no web of trust* unless you know the signers.  In which
case you may as well have them forward keys manually.

>I have seen very little discussion of this point, anywhere. 

The cypherpunks archives have discussion on the invalidity of
a "web of trust" signed by unknown (or corruptable) entities.

The few replies
>I have had to my original question suggest that there simply _is_ no
>solution, except live with it. Either don't publish your key (which means
>that no-one can find your key even if they have a priori knowledge of your
>email address), 

You email your key to those who justify the request.  In plaintext,
or on the phone.  What is the problem with that? 

Don't assume that the "web of trust" has anything to do with trust,
just because it (ab)uses that word.

Think about collusions of signers.  Think about multiple identities.
Remember that the Govt issues false "real-world" IDs when it is convenient
for them
to do so.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to