[oclug] Meeting Tonight and PGP fingerprints

Fri Apr 6 09:36:31 EDT 2001

On Thu, Apr 05, 2001 at 11:37:00AM -0700, Francis Pinteric wrote:

> I'm my own signing authority. I use keys only on documents that
> require it.

If that's the only way you want to use keys, then you're welcome to do
so.  Personally, I use them to both prove my identity as well as to be
able to receive private communication.  The latter is by far the more
important aspect to me.  A good analogy is: when I mail (through
Canada Post) a letter, I tend to use envelopes and not postcards and
expect that people who send me personal letters would do likewise.
Verifying my public key allows others to send me private communication
and avoids broadcasting everything we say to each other to anyone who
cares to look.  I want as many people as possible to be comfortable
sending this type of private communication.  As a side effect, if I
want to prove that such an encrypted (or even non-encrypted) message
was indeed from me, then the signing aspect becomes very important
(and is relatively easy to do in addition to the encryption once
verification has been achieved).

> I object to the proliferation of and requirement for identification.
> The thin edge of the wedge towards a totalitarian state that
> corporatism leads to.

There should be no requirement for identification.  That seems
obvious, at least to me.  There should, however, exist the relatively
easy ability to prove one's identification to prevent the possiblity
of having one's identification usurped.  It is more of an attempt to
retain control and enforce individualism than a move in the direction
of a totalitarian state.  Corpratism seems irrelevant here.  Or
perphaps I misunderstand you?

> I think a neat topic for a presentation would be on how
> authentication works and how signatures are created. That would be
> more fun than to attempt to legitamize someone else's "authority" to
> create signatures.

A presentation on it would probably be a good idea in order to clarify
both why to use it as well as how to use it effectively.  There is no
attempt to "legitamize someone else's "authority" to create
signatures".  That indicates a misunderstanding of the situation.

To explain briefly: each person has the authority to create their own
signature, but that signature has to be trusted to be of any good.
And thus we have the key-signing scenerio whereby if Alice creates a
key then I will meet with Alice and confirm that the key I received
(usually by downloading it from somewhere on the net) has really come
from her.  We do this by having her recite to me a fingerprint for the
key which I can verify (as comparing the entire key would be unwieldy
at best).  Once that's done, then I will add my signature to her key
and give it to the world to declare my trust of that key.  Likewise,
she will sign my key and thus declare that she's gone through
reasonable effort to prove that it came from me.  If she believes that
I am diligent in this, then she may set up her software to trust a key
of Bob's which I have previously signed and thus will be able to
extend some trust to Bob's communication without ever having met him.
This has great benefits as it means that one doesn't have to meet
every other individual in person in order to have relatively secure
communications with them. Thus we have a "web of trust" which results
in a completely non-centralized system of trust.  Which is a Good
Thing.

And so, again, I propose that we make a mini key-signing party a part
of each meeting.

Kevin.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20010406/adf241fb/attachment.bin