How best to cryptographically sign scientific papers?
Academia has had some high profile cases of forged identity; for instance, in the last decade the publisher Springer has had to retract 62 papers for this reason alone.
Usually these aren't high-effort attacks, just email address spoofing, etc. These often go something like this:
- An early-career author writes/fabricates a paper.
- They find a respected researcher, and create a confusingly similar email account.
- They add the respected researcher's name to the paper as first author and themselves as second author.
- They contact the journal as the respected author.
This is super annoying - retracting a paper from the record is a huge headache. On the other hand, academia seems like the perfect place for things like key signing parties, what with the scientific conferences and whatnot.
I'd like to try to sign things I might publish, so that the journal can quickly authenticate that the listed author has actually written the paper and is the one communicating with them.
Is this a good idea (or even possible)? I'm quite a novice to the X.509/PGP/GPG world; I wonder if anyone could point me to any precedent and best practices for this specific application? For instance, arXiv requires the raw latex source, so simply signing a .pdf with an X.509 cert is a non-starter.
The academic world has also adopted the ORCiD identifier as a unique reference key for each researcher (to avoid name changes from breaking citations, etc, but not for authentication). Would it be a good idea to include this in the signature somehow?
(note that I'm not actually a scientist [yet] - I might be mistaken about these issues!)