-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/07/2013 02:19 PM, Daniel Kahn Gillmor wrote:
<snip> > But let's bring this discussion back out of the metaphysical > territory of "what is the true nature of identity". In response > to adrelanos' question, I tried to give an example of what sort of > non-government-issued evidence a cautious and open-minded > individual might consider. What evidence are you willing to > consider to establish belief in someone's identity? Perhaps it's misleading to focus on the pseudonym "adrelanos". For me, what's important is knowing that all Whonix releases come from the same source (person, collective, etc). Having an email address associated with the whonix-signing key provides some assurance that support requests and bug reports are going to the right place. It's also useful to know that the adrelanos on this list is the Whonix signer at adrela...@riseup.net with gnupg key fingerprint "9B15 7153 925C 303A 4225 3AFB 9C13 1AD3 713A AEEF". Over time, with ongoing peer review, "Whonix signer" aka adrelanos develops a reputation for releasing useful and malware-free software, for promptly patching all reported vulnerabilities, and so on. If malware were found in Whonix, the reputation would diminish. Peer-verified reputation is crucial in many contexts, especially where government-issued identification is unworkable. Even so, that's not enough, because most participants lack the necessary information and expertise. Also, reputation is not simply one-dimensional. If verifiable evidence were presented linking Whonix/adrelanos to some organization or cause, that might decrease adrelanos' reputation among some, and increase it among others. Reputation is also multidimensional in other ways (e.g., expertise, financial integrity, on-time delivery and discretion). Trusted third parties manage peer-verified reputation in particular contexts. For example, Onionland marketplaces manage the reputations of their sellers and buyers, whose accounts are linked to their gnupg keys. There are also brokers that manage reputation more broadly. Expecting gnupg to handle all that might be unrealistic. Multiple trust parameters would be required, and consistent use in multiple contexts would be difficult or impossible to enforce. But gnupg keys can serve as the index for reputation data. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBAgAGBQJRYaXfAAoJEGINZVEXwuQ+4fMH/RwIQjl2BALgK+lusxU7IOLg 8suRwH56ae68G5PBtLuXwHkQU6l/6ra0Q05j48uopdTJs+Vsre8NK8HfNVyf9UCK 9Yx/2JmWFSnpuA7Swd/yH7QdAs3EqHfxr+pesrDrKuTY5cZwM/jxgZQOXaDcnMfn 4lv4kS/WWwIEBxYhTS3wj8FYVUx5TT1BOFe/uupgbKAACj1LAJwNTOukj6NRT8RG bDBa7ir72hu4Oll4BS+uNNqRWcIMhdcHXLBVCLy1fL1/moKwoP4nazM3RAs7NlzE Z7yKcBhh63E5mj7KHfTwo55q+dtkEqMg1h6HGdACmCAJXjr/CzbemkH8J8ahc+c= =R89X -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
