
Pseudonyms: The Natural State of Online Identity - billpg
http://www.freedom-to-tinker.com/blog/felten/pseudonyms-natural-state-online-identity
======
billpg
(My comment, reposted here.)

I recall a discussion on this topic a long time ago when I had a casual
interest in anti-spam techniques.

The idea was that someone (JD) maintained a list of bad IP addresses. However,
JD realised that some people might not want JD to maintain and publish his
list, and would various means to stop him. (Lawsuits, DoS attacks, personal
threats, etc.)

So instead, he would anonymously publish updates to his list as signed Usenet
messages. The idea was that even though he was anonymous, he would build up a
reputation for quality over time and spammers couldn't pollute his list by
posting fake updates because those fake updates would fail the signature
check.

The objection to this scheme was the man-in-the-middle problem. Under this
plan, JD's first message to the world would be a unsigned PGP key over the
same fakeable Usenet channel. What if, a spammer managed to capture all of
JD's posts, including the initial key, and craft his own fake posts with the
spammer's IP missing?

(In the real world Usenet, this attack would be a rather impractical, but
that's beside the point. Just acknowledging the fact.)

~~~
dustingetz
my understanding: spammer would have to _intercept and modify_ the public key
in the very first (and all subsequent) messages.

------
Perceval
While _managing_ pseudonyms at the level of code is easy, dealing with
pseudonyms when building a community is difficult. Pseudonyms present a double
edged sword: an online identity, but the possibility of multiple online
identities (sockpuppets), the possibility of impersonation, and the
egocentrism of having your pseudonym more valued than your content.

