[oclug] Key Signing Parties.

Francis J. A. Pinteric linuxdoctor at linux.ca
Fri Jul 4 14:51:36 EDT 2003 

On Fri, 4 Jul 2003 19:04:45 +0100
Matthew Wilcox <willy at debian.org> wrote:

> On Fri, Jul 04, 2003 at 01:20:08PM -0400, Francis J. A. Pinteric
> wrote:
> > LOL.  I should have chosen my words more carefully.  Of course I
> > meant to use the computer to copy keys for signing, or to check
> > fingerprints etc.  But then, you can't really trust any computer,
> > can you?
> 
> No, but there's a level of risk we all decide to live with.  There's
> many levels between looking both ways before crossing the road and
> riding a pogo stick into a minefield.
> 

Naturally.


> > But there's nothing wrong with having a key-signing event at the
> > LITW anyway, is there? At the very least remind people to bring
> > their fingerprints.
> 
> No, nothing wrong at all.  It seems somewhat less convenient to hold
> a keysigning party outdoors instead of in a room away from wind and
> such, but to each their own.
> 

Ah, so you were at the first LITW where the wind was strong enough to
blow people away .... :-)


> > As for the gpg-party.html protocol you reference.  I have my own
> > objections to it.  One point that I particularily object to is the
> > profering of ID to verify the identity of a person whose keys you
> > are signing.  
> 
> I didn't necessarily endorse the whole contents of that URL.  But the
> position you espouse is very absolutist. 

I'm Catholic after all ... the One, True, Religion outside of which
there is absolutely no salvation and everyone else goes to Hell.
<chuckle>


> OpenPGP allows one to
> specify how much checking one has done and therefore how strong your
> signature is.  For someone who I've only met at a keysigning, I don't
> give more than a level 2 signature ("I have done casual checking").  I
> think having checked government-issued photo ID is sufficient for this
> strength of signature.
> 

How can you tell if it's real or not?  Besides, government issued IDs
are not for this kind of use.  There are some dry cleaning
establishments in this town that will not give you your own clothes back
without an ID. The one and only time I went to such a place, they wanted
to record my driving license ID number.  This I refused to allow them to
do, and immediately reported them to the police.

I do not misuse my ID in this way, and neither should you.  Keysigning
parties constitute a misuse of such IDs.  Building a web of trust is
about building community through personal interaction.  This is what key
signing parties are all about, so that we can get to know each
other and to build a sense of community, a sense of trust, in each
other.

Each person's web of trust is based on who they know, and from combining
these webs of trust one can build the larger community.  Simply signing
the key of someone because they produce ID only tells you that they have
that ID.  It doesn't tell you anything about them personally, which is
far more important.  That's why I sign keys only of people that I
personally know, and know what their key signing behaviour is.

For me it isn't only about being certain about information coming from
them, but also about information coming from people that I do not know
that they do.  In most cases, it's isn't important in the least.
However, if you are involved in the transfer of important data, and
person Such-and-such tells you that So-and-so will send it to you, whom
you do not know, it would certainly help if So-and-so signed that data
with a key that Such-and-such has also signed.

Otherwise, you are allowing your GPG keys to be another form of ID
to be misused, and we all carry too much of that around with us
already.  Many people have come into the habit of simply offering ID
whenever asked, and it is a habit that we must supress.  Such ID is not
anybody's business than your own and the issuing authority.


> > I use different keys for different types of correspondence, mostly
> > determined by who I am corresponding with.  Mailing lists, use this
> > particular key, and you will notice that it isn't signed by anyone
> > other than the obligatory self signature.
> 
> I don't understand why people keep keys on the same machine they do
> email from.  There have been enough buffer-overflow bugs in mailers to
> keep me well away from that kind of thing.  If I have to sign an
> email, I do that on a different machine and then transfer it.

That would depend on the mailer, wouldn't it?  I am sufficiently
familiar with the source code of all the software involved
(sylpheed-claws, gnupg, GPGME), that I'm not that concerned.  As for
other people, they quite rightly should be concerned and should learn
familiarize themselves with the source code for the software that they
use, even if they have to learn how to programme in the process.


> Plus, who gives a **** whether your list mail is signed?  I mean,
> really. What's the threat model here?  Suppose I start posting mails
> spoofed as being from Francis Pinteric... who would care?
> 

I would.  It has happened that people have posted messages to certain
mailing lists pretending to be me.  By their doing these things, they
have done quite a lot of harm to me personally and to my reputation. 
While I am not completely paranoid, I do take some rudimentary
precautions by at least sending signed messages.  Even with that slight
precaution, and it is indeed quite minimal, I had been able to
completely stop those who have been trying to do me harm.  Should more
stringent measures be required at some future date, I will implement
them.

Perhaps you might not care if someone misuses your identity, but I've
learned the hard way that there really are people out there who just
might want to do you harm.  My political, economic, social and religious
positions do tend to offend a number of people and some of them are
terrorists.

>>>--fja->

-- 
Fashion is for people who have no style.

There are three crimes which deserves the death penalty:
conformity, political correctness, and smoking.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20030704/8a6d2a30/attachment.bin

More information about the OCLUG mailing list