Identity and cryptography

The other day I received an anonymous comment on my blog. I deleted the comment, since the content wasn't particularly useful. Besides, the person didn't leave their name! But immediately after the deletion I had second thoughts. Frankly, I've never been able to establish a commentator's identity online, even though I feel like I can if they leave a name. Just because someone claims to be Larry doesn't mean that they are!

I'm a proponent of both anonymous access and anonymous participation, together with a culture of accountability (and systems in place to keep the signal-to-noise ratio high). Optimally, people choose to use their true identity (or, at least, a consistent online identity) because that's the cultural norm. You see this culture on Facebook, with people using their real names. It similarly exists on Gmail, as people generally use a derivation of their real name (or preferred online identity) in order to form their email address. (This culture does not exist on MySpace, where the cultural norm for names is ~~~InOcAnHaSaGeD69~~~.)

Name, email address, or URL alone is not enough, however.

Shortly after thinking on this, I stumbled on a blog that caught my eye: the author signs all of his comments using PGP! I've no link now, but his commenting system parsed out the PGP signature lines and presented a link at the bottom of the comment to a page with the original comment and signature. Readers can then verify the signature.

This struck me as a wonderful solution, because it unobtrusively builds on the web of trust that PGP encourages, nay, requires. And the re-use of a proven and decentralized technology usually appeals to me. Therefore, I expect to have a similar system implemented for my own website software one day. In the meantime, I strongly encourage you to approach me, Kurt McKee, or your nearest Google-authorized search provider for further information about PGP and its powerful open source alternative, GPG.