[Freedombox-discuss] public certifications and petnames [was: Re: FreedomBox 'bump/hi-five' challenge]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jun 24 19:58:14 UTC 2011 

On 06/24/2011 04:25 AM, John Gilmore wrote:
> I would go further.  I wouldn't even tie the person to some kind
> of global identity, government ID, or "verification".

There are many good uses for this, and yes: we should certainly tie the
local verification with privately-held identifying information and other
forms of memory/identity cues for the freedombox owner.

However, if you forgo all public identification, you lose (at least) two
rather important things:

 0) you lose the ability to learn the identity of someone who you have
*not* met in person.  The OpenPGP "web of trust" allows people to make
generic introductions available to others; this means that I can know
(for example) that a message from Bdale is actually from Bdale well
before i ever met Bdale.  I can do this because several mutual
acquaintances have identified each of us with our keys publicly.  i
(privately) trust enough of those intermediaries to make reasonable
certifications (and to *not* make unreasonable certifications) that i
can be confident that messages signed by this key actually were signed
by Bdale.

Note that i might care about Bdale's "government-recognized" name; or i
might care about his globally-unique (in some sense) e-mail address; or
i might care about both, as far as discerning his identity.  But i'm
relying on a public certification; not a private "the bdale i like to
get drinks with" certification.

1) you lose the ability to effectively re-key after a loss or a
compromise.  If you've come to know someone solely via their key, and
they lose control of that key (either by physical loss or by
compromise/exposure), you'll need to actually find them again in person
to learn their new key.

With a public certification network, there is the possibility for a
person to re-identify themselves without having to meet each of their
correspondents in person all over again.

> The implication for FreedomBox design is that a user's key should be
> transmitted WITHOUT further identifying information.  Any identifiers
> for a received key should be provided by the receiving party.

This is going to make freedombox incapable of supplanting proprietary
networks.  The ability to connect to people you have not yet been able
to do an in-person handshake with with is critical to being able to
satisfy the social and emotional desires for communication.

> Not automatically tying a key to a self-claimed identity, nor a
> government-issued identity, nor even a photo, will help freedom
> fighters stay free when the government grabs somebody and tries to
> find all their collaborators.

People can do this with a pseudonym -- there are many pseudonymous
OpenPGP user IDs in the existing WoT.  But not everyone will use a
pseudonym.  If you're concerned that a pseudonym might be too
identifiable, consider that the key's fingerprint itself is unique and
identifiable.  Better to lay claim to a persistent identity that allows
re-keying.  If you want to ditch your pseudonym, that's just as easy as
ditching a key (easier, in fact)

> [...]
> This concept is only a few weeks old; I could've missed some big
> reasons not to do it this way.  

The concepts of local/private associates with keys actually dates back
at least to 2005:

 http://www.skyhunter.com/marcs/petnames/IntroPetNames.html

The concept of petnames is a good one, one that we should certainly
incorprate into the UI of the freedombox; integrating a mechanism for
storing petname info (private names, candid photos, etc) into the
bump/hi-five/manusvexo/monkeysign UI (can we please settle on a name?)
would be fine (though i don't think it necessarily needs to be in the
first draft).  And of course, that data would need to get handed off to
the freedombox, where it would be integrated in the rest of the UI (e.g.
when i'm chatting with Bdale using OTR, it reminds me that this is in
fact "the Bdale i met in NYC").  The rest of the UI should also allow
the user to update petname info at will (e.g. this is no longer "the
bdale i met in NYC", he's now known as "the BDale i launch rockets with").

But Petnames are independent from public certifications.  We should
definitely *not* throw out possibly-public certifications just because
we want to integrate petnames.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110624/ec37664b/attachment.pgp>

More information about the Freedombox-discuss mailing list