about GNU-PG Registration

Asked by vfmla on 2011-01-27

Hello Ubuntu Community,

I have a question about GNU-PG security for email clients. I have read that this is the best email protection available. I have it among available Ubuntu packages, too, but when I wanted to use it the registration process asked my real name.

considering full or the best possible privacy claim, why real name?
or is it ok just not to give the real name?

I am not advanced in cryptography, could/can this not be avoided?

I'll be glad and thankful for your insights.

best greets!

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu gnupg Edit question
Assignee:
No assignee Edit question
Solved by:
vfmla
Solved:
2011-01-31
Last query:
2011-01-31
Last reply:
2011-01-27
Sam_ (and-sam) said : #1

How would you verify that a person is the one which it claims to be, through a nick name?
https://help.ubuntu.com/community/GnuPrivacyGuardHowto
https://secure.wikimedia.org/wikipedia/en/wiki/Web_of_trust

If you created a pseudonymous identity which itself were to become trusted (e.g. "Locke" and "Demosthenes" in Orson Scott Card's Ender series), then, by always using that, messages you sent would eventually provide compelling evidence that they were really sent by whoever has that pseudonymous identity.

(This is the same way things work with your real identity. If hypothetically I start using GNU-PG and I decide to fraudulently use your name as my own, hopefully people would realize that all they know is that subsequent messages are sent by the same person who sent previous messages as you, and that *all* the messages could potentially be sent by an impostor. As you start to verify that messages were sent by you, for example, in person, then that builds a stronger web of trust and eventually people have reason to believe that the person whose "real name" is your name is really you.)

But it is important to note that privacy and anonymity are related but different concepts. They are often consistent with one another and even helpful to one another, of course. But a fundamental aspect of your privacy is your ability to prove your identity, preventing other people from assuming (i.e. stealing) it.

Different encryption schemes achieve different goals with respect to verifiability. We generally want emails to stand as permanently verifiable record, which GNU-PG accomplishes. Our goals with instant messaging are often different, which is why Off-the-Record Messaging (http://www.cypherpunks.ca/otr/) provides the ability to prove you are who you say you are when you say something...and then publish enough information *after* the conversation is over that anyone could craft an equally plausible false conversation. (That way, you have verifiability when talking, and deniability afterwards.)

Can you verify that a person is the one which it claims to be, through the Full Name?
I am just curious.

vfmla (bernuce) said : #4

thank you so much for your responses!! :))

since I am not a GNUPG user yet, I wasn't (and still isn't) informed about what the real name would mean later as a GNUPG user (would that appear at headers, or was that just a registration detail -which was not more convincing, either)..so I now understand that my real name will somehow be shown to email recipients so that they know it is me. but not to third parties and peeping-toms of course.

then it seems a matter of if or how you can handle it to connect people with a name other than your own. and all things that may come associated with it. guess I got it right?

There are, of course, many full names that are shared by many different people. However, if you have two digitally signed messages, you can know that they were digitally signed by the same person (or that someone else got access to their private key...a situation to avoid!).

vfmla (bernuce) said : #6

thank you yet again Eliah!

vfmla (bernuce) said : #7

thank you all members for your support and insights!