Slashdot Mirror
The Government Internet ID Proposal
An anonymous reader writes "Is it the beginning of government tracking? An expert on electronic privacy walks through the possibilities and perils of a national online security system run, in part, by the US Department of Homeland Security."
I'm sure this story has been posted many times over the last few months?
Example:
http://yro.slashdot.org/story/11/04/17/1747215/White-House-Releases-Trusted-Internet-ID-Plan
we should have absolutely nothing to fear. Remember, this is all for our protection.
How will this prevent identity theft? Seems to me that it will make it potentially easier to steal someone's identity.
I really like this story when people insinuate that the government is an utter failure at anything it touches. Stolen from Usenet long ago, I believe.
This morning I awoke to my alarm powered by electricity generated by the public power monopoly regulated by the US Dept. of Energy. I turn on the TV to one of the FCC regulated channels to see what the National Weather Service of the National Oceanographic and Atmospheric Administration predicts the weather to be using satellites designed, built, and launched by the National Aeronautics and Space Administration
I watched this while eating my breakfast of US Department of Agriculture inspected food and taking the drugs which have been determined to be safe and effective by the Food and Drug Administration. I also note that the US is still a sovereign nation, having not been invaded during the night, thanks to the tireless vigilance of the United States Armed Forces.
I then took a shower using clean water provided by the municipal water utility. At the appropriate time as regulated by the US Congress and kept accurate by the National Institute of Standards and Technology and the US Naval Observatory, I get into my National Highway Traffic Safety Administration approved automobile and set out to work on the roads built by the local, state, and federal Departments of Transportation.
I may also stop to purchase additional fuel of a quality level determined by the Environmental Protection Agency, using legal tender issued by the Federal Reserve Bank. On the way out the door I deposit any mail I have to be sent out via the US Postal Service and drop the kids off at the public school.
After work, I drive my NHTSA car back home on DOT roads, to a house which has not burned down in my absence because of the local and state building codes and Fire Marshal's inspection, and which has not been plundered of all its valuables thanks to the local Police Department.
Some days we stop to let the kids play in one of the many beautiful parks maintained by the US National Park Service division of the US Department of the Interior.
I then log onto the internet, developed by the Defense Advanced Research Projects Administration, and post on freerepublic and FOX News forums about how SOCIALISM in medicine [or new ID cards] is BAD because the government can't do anything right.
Dupe Dupe Dupe Dupe Dupe Dupe DUPE.
That people actually fear that the government is sufficiently flexible to run something this complicated and sophisticated.
Be much more afraid when they start using terms like "deputizing" to describe a public-private partnership with companies that actually can do this for them.
The US wants to become the World Police.
...Where a link to an article about computer credentials can become an 800-count thread where people don't talk about the article, and prefer to spin yarns about Hangar 18 conspiracies all the while claiming the exact opposite of what's actually going on.
You can see why private industry would hate this proposal: it robs third parties of the ability to collect advertising and customer data through user authentication. So naturally they'll use scaremongering and useful idiots civil libertarians to claim this isn't what it is, and that we're much better off with a completely private system with no rules as to who can collect what data about what.
Don't blame me, I voted for Baltar.
Hey, even not using in won't help.
...after the first few years you won't be able to use a credit card without it. (Or cash a check, if we still have checks, or use cash, if we still have cash.)
Make sure nobody misses this one.
So ... I'm going to trust a government agency (especially one which has a vested interest in spying on us) to come up with a universal ID scheme which is secure, private, and actually works -- and doesn't have back doors?
What the hell does DHS care about how people keep track of their on-line accounts other than to be sure they can track you?
I'm sorry, but I don't trust this organization to perform this function ... either from a competence perspective, or from a trust perspective. I can only imagine it subsequently becoming illegal to not use this and Officer Friendly shows up at your door for your internet ID re-education.
I can see all sorts of chilling effects like freedom of association and anonymous speech -- but, it will be hammered home to protect against kiddie porn and identity theft.
This is a colossally bad idea, and worthy of a full-on tin-foil hat response. The government should stay the hell out of the internet and how people authenticate on it. And, really, unless you're also planning on having "Internet America" which is firewalled and distinct from the rest of the internet, this simply won't work.
Lost at C:>. Found at C.
I'm trying to work on a peer vouching system to establish identity and real existence of people sufficient to conduct a reliable global electronic vote.
Anyone have any ideas what kind of algorithm might work for that?
The idea is roughly along the lines of: What is the chance that a facebook "person" is a fake person or a duplicate person. A facebook account holder who has x number of friends each of whom have x number of friends (not forming small closed cliques but with some measure of wider global interconnectivity).
Detecting fakes would seem to me to be akin to the problem google has of detecting self-promoting link farms.
Anyway, any ideas about this? Not really interested in political ideas about it. Just technical ones about whether it's doable and how to.
Could this kind of bottom up identity/reputation establishment compete for validity with a top-down government system?
Where are we going and why are we in a handbasket?
Here in Seattle, Gary Locke is looked upon by most as some one who takes larger pride in his Chinese heritage than he does with his US. I have heard Gary speak at about 3-4 public events, and every time he has this story about how proud he is to be Chinese and have parents who came to this country from China. With Gary on his way to China to work there as US Ambassador in Beijing, there is even more reasons to be skeptical about his proposals.
There are just two things:
(1) This does not solve the problem, only multi-lateral web of trust does that, ie PGP or X509 keys signed by your counterparties
(2) Obummer's Administration will get it all wrong so (a) we have many more years of scams (b) it will provide endless opportunity for DHS, TSA, CIA and FBI to act ultra-vires and outside the constitution.
Google "Swiss Sign" to see how to it right, respecting citizens privacy
"Emily Badger is a freelance writer living in the Washington, D.C. area who has contributed to The New York Times, International Herald Tribune and The Christian Science Monitor. She previously covered college sports for the Orlando Sentinel and lived and reported in France."
Where is the electronic privacy expert part?
No, that began before most of us were even born. Now go study some history, and don't submit any more blurbs as if they are stories.
Caveat Utilitor
...can run the Child Protective Services (CPS). And corrupt bankers can run the treasury, and...
This was meant to be a sarcastic post but then I realized this is all true already.
Sam has one liberty, which he sacrifices for one security. Can you tell me what Sam has now?
Sounds like "Internet Communism" to me.
Not to mention just another way your identity can be stolen.
A private business doesn't have the special right to employ coercion (meaning physical force) as a business model. Government does have that special right -- in fact, that special right is precisely what defines government and differentiates government from everybody else.
The point is that no private organization could ever cause as much destruction and injustice as government -- it's just not logically possible. Even when government employs coercion (wrongly) on behalf of a private organization, it is government that ultimately holds the key, not the private organization.
I'm not trying to excuse corporations from abuse of privacy -- that's certainly a major problem in today's world. But let's try to keep some perspective: government is infinitely more dangerous than any private organization -- by the very definition of government (see above).
More importantly, make sure they read AT LEAST THIS FAR:
The government has set out principles — chief among them “choice, efficiency, security and privacy” — more than mechanics. But the basic idea is that you could have your offline identity verified online by a company of your choosing. That company would then provide you with a single credential you could then present (when you don’t want to be anonymous online) to Amazon, or VA.gov, instead of having to re-establish that you are who you say you are with every online transaction.
The device carrying your credential — a flash drive, a cellphone, a smart card of some kind — would authenticate itself, rather than referring Amazon to the company that vouches for you. Amazon would know the buyer was secure, and the credential would know it was communicating with a bookseller, but the authentication provider would never learn that you just bought Bob Woodward’s new book. In this way, all of the parties involved would never freely communicate with each other, preventing precisely the web of information that you probably don’t want anyone — private company or government agency — to track.
In short it is a strictly voluntary program of obtaining authentication credentials which only YOU say what you share with each. Like your PGP signature with a somewhat more reliable web of trust than some guy in Slovenia that signed your key.
Seriously, you can tell the author simply skimmed, and never read the actual government release on this idea, which can be found in pdf form here: http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf
The biggest problem I see is the mentioned "Mission Creep", where such an ID becomes mandatory in order to purchase anything on line. I could easily see that happening at the insistence of credit card companies.
Sig Battery depleted. Reverting to safe mode.
Anybody on Facebook needs to STFU about "government tracking you online". Facebook sells more to its advertisers than the government will ever know about you.
Pretend there is some witty statement here.
That makes me feel better since the government never suffers from scope creep.
In short it is a strictly voluntary program of obtaining authentication credentials which only YOU and identity thieves say what you share with each.
FTFY.
Quidnam Latine loqui modo coepi?
Hmmm. Sounds like 1984's Ministry of Love, doesn't it?
: (
Eventually, however, the transaction relates to a buyer at an IPv6 address. As most IPv6 addresses aren't behind a NAT, they can be eventually profiled as to who they are.
And since those carrying an iPhone to make the purchase have their GPS tracked, we know where they are for large parts of the day. Let's say that the phone location between 10pm and 6am is likely where they live. Oh, let's crossref that to a Google map to find out what their apartment looks like. Gosh, see where else they go? Neat, huh?
I'm not sure DHS need to do much of anything. Between IPv6 and phone-home-with-GPS data, we're all tracked in the US (and other parts of the planet) now.
---- Teach Peace. It's Cheaper Than War.
Its safer than credit cards.
You can dumpster dive all you want, but you still can't access my accounts without my digital credentials stored on my phone. And Even if you steal my cell phone with my credentials on it, you can't use them because they are encrypted and password protected on the phone.
Sig Battery depleted. Reverting to safe mode.
Rather ironic that the Land of the Free and Home of the Brave is slowly but surely progressing to a point where the only ones who will really have "freedom" will be the outlaws that all these things are supposedly being put in place to catch.
Yet another way for Homeland Security to keep track of US citizens who don't like what the corrupt government and big business are up to. Oops. I meant to say 'terrorists'. Hell, it's just a word used as an excuse to let the US elite do whatever the hell they want. Homeland Security is just the US's version of the SS. Awww crap. I mentioned Nazis.
The "statist" argument I make is that hierarchical governance will establish itself in human society no matter what.
We are descended from a long line of social animal species and cohabiting with many others.
Reciprocity is adaptive. It reduces the energy expended for an increment of survival probability.
Hierarchical coordination of reciprocity is a thermodynamically more stable configuration of reciprocity, because of the information flow topology (1 - n compared to n - n) leading to feasible alignment of goals and actions of larger numbers of social agents, and leading to fewer accidentally oppositional (and energy-wasting) actions.
You really can't fight this, given the general kind of survival oriented, energy-conserving, socially aware, plan-forming agents that we are.
So the only choice you have is what FORM (and to some degree what degree) of hierarchical governance you will have. You don't have a choice not to have it. The pattern will impose itself on you no matter what, eventually.
If you kick out the constitution that is an agreement to have democratically elected hierarchical governance, you'll get some other kind, emerging from the latent empire builders always present in human society. Whether this ends up being a glorified drug-lord or a benevolent but ruthless dictator is anyone's guess, but it will be something, you can be sure of that. It will start out with lots of small hierarchical organizations, and gradually they will coalesce into the largest (federal layered) hierarchical organization supportable by the communication, transportation, logistics coordinatation, and force-projection technologies of the day.
That one, you guessed it, we will end up calling "the state".
Where are we going and why are we in a handbasket?
had a job at The Daily Planet!
Go BigTime TV!
Depending on the criminal, encryption might just offer a delay, not prevention to the release of data.
Besides the fact that this (when it all boils down to it) amounts to tracking of an individual's explorations and transactions on the Internet, it has one other fundamental flaw: it is a "trust network" system of a kind that we know doesn't work.
Think about it: we already have such a system, for identifying web pages: Certificate Authorities. And it's a sham. It does work sometimes, but surveys done by EFF and others have shown that some CAs don't bother to check the identity of the people to whom they issue certificates. Some CAs have sold multiple certificates to the same people... and some have sold the same certificates to multiple people.
But even worse: they also found that as much as 80% of the certificates were not set up properly on the sites they are supposed to identify.
I could go on. But the point is, these "trust based" systems fail at exactly the point we are supposed to trust: the human at the other end. It is not that the design is necessarily bad, but that people don't properly do the things they must do to make the system work the way it is supposed to.
Case in point: most "identity theft" happens not at the level of the individual, but from "data leaks" at the very corporations with whom we are supposed to trust our data. So this scheme is worse than useless: it won't increase security at the user end, and it doesn't even bother to address the real security issue here: the humans at the other end.
So what?
Its still better than your credit card number slurped across the net due to a broken SSL layer or a dumpster diver.
You kill the credential and start using a new one.
Sig Battery depleted. Reverting to safe mode.
Case in point: most "identity theft" happens not at the level of the individual, but from "data leaks" at the very corporations with whom we are supposed to trust our data.
Citation needed.
Also, you seem to ignore the fact that there is NO HUMAN at the other end in most E-commerce today. Buy a book from Amazon and your CC# is never seen by a human anywhere along the route other than you.
Sig Battery depleted. Reverting to safe mode.
The reason why credit cards are safer in practice is because the judge and jury know they aren't safe at all :).
;)
You can go to the court and say "It wasn't me, some hacker stole my credit card", and that's pretty believable. Happens all the time.
Whereas with some "fancy foolproof crypto-tech" the court might be more likely to believe the Bank/Merchant when they say you were responsible for the fraudulent transactions.
A lot of "Identity Theft" is actually people cheating the bank (bank fraud), but the Banks call it "identity theft" to shift some suffering and losses to YOU.
Perhaps with this sort of tech the levels of fraud will go down a lot and the banks etc will pass the savings to the customers. What do you think?
Joe Merchant eats all credit card fraud (beyond the first $50). Doesn't matter what the Judge says.
Doesn't matter if it was an on-line sale or a in-person sale.
It affects the price of everything you buy, even when you use cash.
Your glib dismissal of credit card fraud on the basis that it is not safe at all and therefore its very safe [nihilism at its best] sort of ignores the fact that a merchant somewhere is out a 60 inch TV and has no way to get it back. Pretty cavalier if you ask me. Try running a business someday.
Anything to make it harder for an unauthorized user to use my credit card is fine by me. To argue against this on the grounds that it will be EASIER to commit identity theft or credit card fraud is just pointless and silly.
The thug that mugs you for your iPhone does not have enough brains to crack the encryption. The dumpster diver who creates fake accounts from your discarded Best Buy bill will not have your public key on file.
You seem to insist upon invalidating the effort on the basis that some agency with NSA level technology might be able to break the encryption. Its not perfect, so lets not do it at all - is that your take?
Sig Battery depleted. Reverting to safe mode.
Waaaaaaaaaaayyyyyyyy up!
Paranoia is a Survival Trait!
based on the very little ive read about this, and the tons ive seen happen in real life, i think this is all silly
first off, ur tracked by an ip address, cookies, facebook, etc.all day anyway. if uve gotten around that, ull get around this, and most ppl dont seem to care.
2nd, i believe they tried this already, and failed already, dunno how this will b different.
lastly, again, if u ACTUALLY care about being tracked online, and based on facebook alone, i think most dont, u will circumvent whatever "obsolete before it passes" dinosaur legislation they can come up with, and thats if the tards can even figure out this whole intertubes thing in our lifetime anyway
so in conclusion, dont worry about it. wana worry about the internet? metered usage is probably the biggest threat to the internet now, go rabble about that somewhere
There is already a national online security system, that univocally identifies and tracks people well beyond national US borders and is largely looked at by several agencies worldwide.
Don't you have a Facebook account?
"Citation needed."
Why should it need a citation? This not wikipedia! And even if I was wrong about it being the biggest source of identity theft, it is still a major source, and my point is still valid.
When the statistics say that identity theft occurs 10 or 11 million times a year, and that corporate "data leaks" (like the lost hard drives and laptops that you see reported all the time) often contain millions of records each, all you have to do is some elementary-school math. And don't forget: the government itself is one of the more famous sources for such "accidental" data leaks. But more to the point: if a system is not set up with proper safeguards, then lots of employees at these corporations (and government offices... think "Bradley Manning") have access to that data, and it ends up getting sold.
"Also, you seem to ignore the fact that there is NO HUMAN at the other end in most E-commerce today. Buy a book from Amazon and your CC# is never seen by a human anywhere along the route other than you."
That is completely irrelevant to what I was saying. Humans design the website. Humans set up the security (if any). Humans set up the CA certificates... if any. And humans, if security is not set up properly, have access to the data at their end. Some services (Dropbox is a great example... see the story right here on Slashdot) even lie or mislead users about their security setup, and have easy access to user data that they should never have been able to see.
Despite the fact that other humans might not be directly involved when you make a transaction online, humans are everywhere behind the scenes, and if things are not set up properly (and according to EFF and EPIC they seldom are), then they have access to your data.
Repeat: the trust system of CAs is broken. Not from faulty design, but because the people who set them up can't be trusted to do it properly. 20% success rate is pretty dismal.
And by the way... when you buy from Amazon, or with PayPal, do you enter a credit card number every time? Or do you use a credit card that is already set up on your account?
The point being that regardless of whether a human is involved, that information is in a database somewhere... even your credit card, even if you enter the number manually... because SOMEBODY has to check that the card is valid. Even if it's being done by an automated system, information about your card is still in a database somewhere, and information about your transaction goes into a database somewhere, and people have access to those databases.
I set up databases all the time. Including for secure transactions sometimes. I know how they work, and I know whereof I speak.
Actually I have no problem with the idea of national ID. I'm pretty fed up with the fed's baseless anti-drug but pro-corporate pharmacy attitude, militant overtaxing, overspending and overexerting in foreign affairs, and f'ed up two party system that lumps social and economic decision making into a single choice come election time.
You can get 15 minutes of fame, but you can go down in history for infamy.
The whole point of this is to have a physical device that can authenticate you instead of transmitting a password. The device would go through a challenge-response protocol and prove your identity without exposing its private key. The only way to steal your identity in this system is to steal the physical device from you, which is MUCH harder than stealing your password.
So eventually, an "Internet ID" might become mandatory. ISPs would be required, by federal law, to not allow any customers to connect without first establishing a National Internet ID and authenticating via PPPoE, which most routers and operating systems already support.
That will be the trigger that makes me move to another country. I speak English and Spanish and I'd like to live in the "first world", so my choices are Canada, Ireland, the UK, and Spain. Australia is out because of national Web filtering.
I'll admit that it would be kind of sad if I moved _to_ the UK to escape pervasive surveillance.
What kind of moron would trust the US Government to properly run a program like this, and not completely screw it up or have pathetic security, allowing hackers to wreak havoc? This isn't some well-run organization with competent leadership we're talking about here. Just look at how well they're running TSA.
I could see another country's government doing something like this well, such as Israel, Switzerland, or a few others. But the US Government? You've got to be kidding.
Sounds like a good reason to add a surcharge for using a credit card. Many merchants already do.
What kind of moron hasn't even read about this project to know that it is NOT being run by the Government but rather by Private companies OF YOUR CHOICE?
How come you feel qualified to weigh in with an opinion and start calling other people morons when you haven't even checked your facts?
Sig Battery depleted. Reverting to safe mode.
willnotparticipate Peaceful, to the point, and less violent then other ideas floating around in my head. Until they make it part of my drivers license or tie it to my SSN, its something I won't participate in. And when they do tie it to those IDs, well, lawyers will certainly be tied all over it by then.
"Have you ever thought about just turning off the TV, sitting down with your politician, and hitting them?"
Have the government set a standard - not set up an administration or anything, should take about a page - for web-sites to accept log-ins using self-signed public key encrypted XML forms with a minimal set of optional identity/contact/billing/revoker fields. Leave everything else up to the public; I reckon it would take about a week to write MOD_PSKLOGIN
-Want to blog anonymously? Get an email forwarding company to sign you a log-on you can use at your blog site.
-Want to buy something from a company you trust with your real name/address/credit card? Bung it into some xml and send it off
-Want to buy something but don't trust them with a credit card? Get your bank to sign a one-off payment approval.
-Want to buy something anonymously? Give a forwarding company (like myus.com) your forwarding address and some money, and get them to sign you a log on with their address and payment details
-Need to prove who you actually are to someone? Get someone who already knows you and that the other party trusts (your bank? your employer?) to sign you a log-in with whatever subset of your information you want to pass on.
-Worried about identity theft? Sign revocation authorities with some company that has a 24 hour hot line, and keep your keys on an encrypted usb stick. Really worried? Get a hardened stick that takes 48 hours to crack and needs a thumb print.
-Worried about catching pedophiles and terrorists? The government can use ordinary court orders to get details from intermediaries.
-Worried about surveillance and privacy? With thousands of unregulated intermediaries it would be a nightmare to keep standing databases to enable automatic data matching. Really worried? Spread your intermediaries around different countries with sane privacy laws.
Like an earlier poster said, we already have the technical side of this standard in things like PGP and X509. All we need is an official, mandated data format for the information exchange so that web sites aren't wasting their time implementing them. Governments may or may not be good at running things, but they rock at standard setting: time zones anyone?
And when all private companies require your internet ID...
Will the government step in to protect your right to privacy?
No. The government will have you exactly where they want you.
If you think there is a difference between corporations, and the government... think again. Corporations fund the elections, to ensure your slavery.
Circumventing the constitution is easy. Corporations can demand you have only use permitted language if you want their services or a job working for them. If that becomes the norm, the constitution is worthless.
The idea of freedom is meaningless, if no freedom can be found in the everyday execution of our daily life.
The guy in Slovenia shouldn't have signed your key unless he knew that the key that he was signing was your key, and that you were who you were claiming to be. The recommendation is that you meet in person (which you're likely to do, since you and Mr Slovenia have regular business together), and do the key signing in each other's presence.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Your story is very nice and does show why the government is useful, when it is *serving its citizens*.
But how many of those things in your daily routine required you to present an ID? You even used legal tender to pay so you don't need a credit/debit card. So, in the context of this story, why does it help us and keep us safe to have an internet ID?
Twinstiq, game news
Exactly. Thanks for emphasizing my point.
My key signed in person at the East Mudville branch of the Bank Of Kentucky is more believable than your typical PGP signature, signed by gawd knows who.
Sig Battery depleted. Reverting to safe mode.
So who owns the intellectual property?
Say I want to by a Taco from the Commanders taco shop
and I order it on line. Does this involve a hidden cash flow
because there are patents and products under it that make it
limited to WindowZ, Linux, FreeBSD, Firefox, Chrome etc.
I am of the opinion that too many "standards" are entangled
with IP that effectivly legislate a cash flow to a very limited
set of companies.
Ubiquitous standards like pdf & Flash are an entanglement
that is quite interesting. More interesting is the entanglement
of development tools that generate code that works on a limited
set of viewers because of the use of features and bugs. Not
a new problem -- DEC knew about and used ill documented display
codes on their VT-100 class terminals to keep other vendors from
building "work alike" terminals. Intel built a compiler that sensed the
local machine and if it was not Intel inside would generate bad
code.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
1. The government provides some services at acceptable cost/benefit ratios.
2. The proposed ID system will (inevitably?) be a (mandatory?) govt service.
3. Therefor the ID system will be provided at acceptable cost/benefit ratios.
Expressed this way, the fallacy becomes self-evident. But let's forget Aristotelian logic and concentrate on the key issues:
1. The government provides some services at acceptable cost/benefit ratios.
2. The govt services with the best cost/benefit ratios are generally the "tragedy of the commons" variety --- where regulation, enforcement, inspection and scale (FCC, SEC, FDA, DOD) issues favor centralized management and dispersed execution.
3. But all governments are bedeviled by this: governments agencies and departments, once established, experience few incentives to succeed and few sanctions against failure. In the private sector, a failing enterprise goes broke (modulo banks and car companies, these days). In the public sector a failing enterprise gets more funding.
Things have reached the stage where even the most trusted agencies are failing their charters. For example: the SEC let Madoff operate for years despite repeated whistle blowing.
4. People on both the left and the right have overwhelming reasons to be cynical about "we're from the government and we're here to help you".
5. I happen to personally know the guy --- call him Smith --- in government who is pushing the Government ID proposal the hardest. Believe me, he is not doing it because he thinks the government can really add value to solving the ID management problem. He is doing it to establish a nice little sinecure that will insure him a fat government job until he retires on full pension and 100% benefits.
Is that more or less believable than the proposition that the government has suddenly decided to do something noble, something that effectively lessens its control over a key part of the cyber infrastructure?
You have banks that would sign PGP keys? But how are the tellers or manager (except in quite uncommon circumstances) going to know you sufficiently well?
That suggests that you don't have a very high opinion of the typical PGP user.
If I were going to get a PGP key signed, I'd probably start at my local LUG (where people do know who I am). Or I could go to a couple of local politicians I know (from drinking in the same pub as them), who are likely to have PGP keys. I do occasionally swap mails with RMS, but it's unlikely that he'd sign a key for me.
Presumably I could also get someone like Thawte or Canonical or whatever Shuttleworth's certificate signing company is called to sign one for me, for a fee. Is that what you're saying the Bank of Mudsville does?
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
You have banks that would sign PGP keys? But how are the tellers or manager (except in quite uncommon circumstances) going to know you sufficiently well?
When you open a bank account, they see far more documentation about who exactly you are than someone you have a drink with in a pub. Typically in the US, you must show more than one form of official identification, supply your SSN, home address (which they check), and make a deposit of funds.
More importantly, they are in a position to verify that you have the rights to disperse funds from your bank account to pay for on-line purchases. This latter bit is the key point in preventing identity theft and credit card fraud. (Not saying it would be used for signing email.)
My point here is that the same people who rush in to put PGP on a pedestal based a signature obtained after a few drinks in a pub and attending a conference here or a trade show there, seem to dig in their heels at having a company they trust enough to hold their money to issue them credentials that they are authorized to spend that very same money. They would rather trust to luck with a credit card number that they can simply disown when its is stolen thru their own carelessness, and to hell with the merchant that shipped that 50 inch TV to the thieves.
Its simply mind boggling.
Sig Battery depleted. Reverting to safe mode.