Subject: Re: BPG call for use cases
To: Martin Husemann <>
From: Curt Sampson <>
List: tech-security
Date: 07/22/2005 18:31:33
On Fri, 22 Jul 2005, Martin Husemann wrote:

> I was just not using your vocabulary ;-)

Right, and mine was not correct, anyway.

> "Identity" might not be the proper word, in the natural (non
> cryptographic) context. I was thinking of a person, for example, as a
> single, unique entity.

I understand what you are trying to say by this. But I'd definitely say
that it's not obvious to your average user that

     pub   1024R/54FDA385 1996-07-16 [revoked: 2004-03-19]
     uid                  Curt J. Sampson <>


     pub   2048R/25808B3A 2004-02-26
     uid                  Curt J. Sampson <>

May well be two entirely different identities, even though they share
the same UserID.

On the other hand, I do believe that your typical user has little
difficulty, when he types "Curt Sampson" into Google, realizing that
he's dealing looking at results covering two different entities, both
identified by "Curt Sampson." Given that, I think it's not difficult
for users to understand the real meaning and value of a User ID, if
explained clearly, and he'll then be able to do some reasoning for
himself when confronted with situations requiring judgement.

For example, when he receives an e-mail from <>, and the
program says that the signature is valid but untrusted, he'll be able
to understand that this is a "duplicate" UserID, and be able to look at
the signatures on that one to try to discover what's going on. (I can
certainly imagine a user not understanding what's going on listing the
signatures on the wrong User ID.)

Curt Sampson  <>   +81 90 7737 2974
      Make up enjoying your city life...produced by BIC CAMERA