Computer Cryptology discusses the issues with the lack of a connected
web of trust for remailer operators, and nyms in general.
> As I now think of it, I wouldn't expect a signature on "Foobar
> Admin" key to mean that the signer knows "Foobar Admin" in Real
> Life. I'd only expect that the signer compared the key with the
> same key obtained by other means and concluded it was the same.
> (Hopefully, those "other means" included a broadcast medium like a
> mailing list or newsgroup, in which multiple people can check the
> key.) The signature would say to me, "Hey, newbie! I've been
> around a while and observed that what this secret key says about
> foobar remailer consistently occurs."
>
> [...]
>
> What do you all think of these ideas? Can someone construct a
> *virtual* key-signing party for these somewhat abstract identities
> as Administrator of Remailer X?
So the problem is that we would like to prevent, or make MITM attacks
against nyms who can not reveal their True Names more expensive to
mount and maintain.
> Nevertheless, I signed Katt's [a nym] key, because my signature
> merely attests that the key corresponds with the nym account. This
> prevents a short-term deception, because I can check to see if posts
> [...] are really signed by Katt.
>
> There's no possibility of long-term deception, however, because, to
> me, Katt *is* the collection of communications signed by a
> particular nym's secret key.
Carl Ellison has an argument somewhat like this -- that a nym *is* the
collection of messages -- and I'm not sure I agree. His argument is
that if I have always talked to nym Bob through man in the middle Eve,
then Bob to me is Eve *and* Bob, so it's not an attack.
The thing is we could frustrate MITM attacks if we model the set of
pseudonymous communicants as being connected by a network with set of
links only some proportion of which the attacker can maintain MITM
over. So if the nyms can communicate without MITM some of the time
they can detect MITM. So the nyms exchange fingerprints, and hashes
of sets of fingerprints say using hashtrees and broadcast them over
any available channels.
As MITM is relatively expensive to maintain, we may get some
reasonable security by defining the non MITM fingerprints for a given
identity to be the ones with the stronger weighting in the fingerprint
set.
Adam
