Kurt McKee

lessons learned in production

Hey there! This article was written in 2007.

It might not have aged well for any number of reasons, so keep that in mind when reading (or clicking outgoing links!).

Identity and cryptography

Posted 19 November 2007

The other day I received an anonymous comment on my blog. I deleted the comment, since the content wasn't particularly useful. Besides, the person didn't leave their name! But immediately after the deletion I had second thoughts. Frankly, I've never been able to establish a commentator's identity online, even though I feel like I can if they leave a name. Just because someone claims to be Larry doesn't mean that they are!

I'm a proponent of both anonymous access and anonymous participation, together with a culture of accountability (and systems in place to keep the signal-to- noise ratio high). Optimally, people choose to use their true identity (or, at least, a consistent online identity) because that's the cultural norm. You see this culture on Facebook, with people using their real names. It similarly exists on Gmail, as people generally use a derivation of their real name (or preferred online identity) in order to form their email address. (This culture does not exist on MySpace, where the cultural norm for names is ~~~InOcAnHaSaGeD69~~~.)

Name, email address, or URL alone is not enough, however.

Shortly after thinking on this, I stumbled on a blog that caught my eye: the author signs all of his comments using PGP! I've no link now, but his commenting system parsed out the PGP signature lines and presented a link at the bottom of the comment to a page with the original comment and signature. Readers can then verify the signature.

This struck me as a wonderful solution, because it unobtrusively builds on the web of trust that PGP encourages, nay, requires. And the re-use of a proven and decentralized technology usually appeals to me. Therefore, I expect to have a similar system implemented for my own website software one day. In the meantime, I strongly encourage you to approach me, Kurt McKee, or your nearest Google-authorized search provider for further information about PGP and its powerful open source alternative, GPG.