[Freedombox-discuss] Relationship driven privacy

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jul 6 19:01:40 UTC 2011 

On 07/06/2011 02:43 PM, Tony Godshall wrote:
> Obviously a keysigning "party" is not
> appropriate for people who want to be
> anonymous.  But I don't see why, if you've
> verified a claimed identity in some other
> reasonable sense you cannot sign someone's
> key even if its pseudonymous.

i agree; given the fluidity of names, a persistent pseudonym can have at
least as much value in terms of establishing identity as a
government-approved "official" name.

> For example, a public activist now living in a
> free country might want to indicate trust of a
> pseudonymous source living under a brutal
> regime,

Standard OpenPGP certifications do *not* indicate "trust".  They are
assertions of identity and key-ownership.

If the repressed source is known only publicly as "fubar127", the
non-repressed activist can use OpenPGP certifications to assert that
fubar127 does in fact hold key X.

> and this public activist might want to
> convey the existence of such trust to news
> media / bloggers, etc.

Again, the public activist does *not* need to indicate any level of
trust here; merely that they believe the individual known as "fubar127"
does in fact hold key X.

> without compromising
> the source's true identity.

I'd use the term "official" or "government-issued" identity here, since
in the public sphere, "fubar127" is at least as much their "true"
identity as any other identity they hold.

> That way the various
> parties could distinguish communiques from
> that source vs. the regime's disinformation
> even if the original public activist is assassinated.

Yep.  Again, to be clear, this is about management of public identities,
and binding public keys to public identities.  it's not about trust.

I think the critical insight here is:

  A persistent identity bound to strong public key is
  essential to being able to make a stable and lasting contribution
  to a globally-networked culture.

It doesn't matter whether the identity is your "official" identity or
not; and it doesn't even necessarily matter what form the cryptographic
material takes (a self-signed X.509 certificate or even a raw public key
might be sufficient in some cases).

Having good ways that other people can publicly state their belief in
your key+identity relationship is a good way to help ensure that your
presence on the network will be difficult to remove, obscure, or
infiltrate through technical means.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110706/b1043a92/attachment.pgp>

More information about the Freedombox-discuss mailing list