PGP Key Signing Event Of The Year 18
Meyer Wolfsheim writes "The registration page for CodeCon includes a field for attendees PGP keys. Apparently, the organizers are planning a massive group keysigning using the Zimmermann-Sassaman method. This could be a great way to increase your Web of Trust ranking." (Here's a previous mention of this year's CodeCon.)
Hmm (Score:3, Funny)
Big circle jerk (Score:3, Insightful)
Back in the real world, companies are signing with Verisign. Where is the Verisign booth?
Web of Trust Slashdot Friends (Score:2)
Re:The Zimmermann-Sassaman method (Score:1)
The main point is the text file has a checksum. They read off the checksum of that file at the beginning of the key signing; as long as the key owners have the same checksum, they can just say that their fingerprints match the ones on the list, instead of each one having to repeat his individual fingerprint.
Key Signing Party on FOSDEM (Score:3, Informative)
Until Friday you have the opportunity to send your key to the organizer of the key signing event; to the event you have to bring your I.D. card or passport as well as a print of your key's fingerprint.
Re:looking for big fish to cross sign with (Score:4, Informative)
Of course you often find you need to get people *outside* your area to sign your key to make it any use. So if you're thinking of travel, it's probably an excellent place to go look for someone to trade signatures when you're out of town.
Six degrees of "I don't know these people." (Score:3, Informative)
On that note, I personally would be suspicious of anyone that had more than a dozen or so signings of his/her key.
My philosophy (using the friend of a friend model) is you're probably safe if you're within four degrees (inclusive) - that is, if you're getting messages/content/whatever from an entity that is only four degrees from you by signature, I think you're probably guaranteed to be in a trustworthy transaction, assuming that everyone practices responsible signing. And, isn't that the whole purpose?
Final word: Verisign is a different type of trust model - I don't purport to be addressing that model in my argument.
Re: Six degrees of "I don't know these people." (Score:3, Interesting)
Re: Six degrees of "I don't know these people." (Score:2, Insightful)
Take, for example, Saddam Hussein, to illustrate your point. Sure, I wouldn't mind telling people who he is (in fact, I make it a point in daily life these days to make sure that people know who he is, but that's a different thread), but by acting as an enabler for his transaction (I verified his identity), does that not make me somewhat liable? If my signing of his key put the person on the other side of his transaction over the threshold for continuing the transaction, am I not in the least bit responsible for the contents of the transaction? Theoretically, I would say no, but realistically, I would say yes.
So, by participating in this mass signing, can I really be sure that the people in control of the keys I sign are the people that they say they are? I certainly could not pick any of them out of a lineup. They may all be upstanding people with the highest morals and goals, but I will never sign a key for someone I don't personally know, and know well. By the same logic, I wouldn't want anyone that I don't know signing my key.
How about the eBay user feedback system as a trivial but similar situation? By giving someone good feedback, you are helping to establish that person as a credible entity to do business with. Good in theory, but there are cranks abound on eBay - let's say that I am a wholly disreputable seller, and I get some friends to "buy" a lot of merchandise from me, and to give good feedback. The sheer volume of good comments may convince my real targets to do business with me - I take their money and run. On the other hand, lets say I'm a good seller. eBay is my internet storefront, and I move lots of merchandise through there. People like me because I have good prices and great product, so I get good feedback. Any potential buyer should still be leary of me, unless he/she personally knows one or more of my commentators. The buyer has no other reliable method of establishing that I am not going to screw them in the transaction.
That is directly analagous to participating in this mass signing. It opens the doors for deception; whether or not deception occurs is irrelevant.
The simple act of identifying someone reflects on your character. I know that the people whose keys I've signed are very responsible about protecting their personal data. I know that they would never reveal their passphrase or leave their private keys available to compromise. They believe the same of me. This is the trust that we share, that allows us to act as a responsible second party identification system for each other.
At the end of the day, I being a party of a two-way PGP transaction, am trusting you, the signer of the other party's key, that the other party is who they say they are. I don't know you from Jack - and if you don't know the other party from Jack, then it is a breach of trust, not between me and my co-communicator, but between me and you. Should the other party end up to be not who they claim to be, you are at fault - you helped encourage me (by establishing that party's identity) to continue the transaction. That is a responsibility that I refuse to take on.
Sorry to ramble on, but it really did take this much thought to articulate my point.
Re: Six degrees of "I don't know these people." (Score:2, Insightful)
First, I wouldn't be quick to judge someone unfavorably by the high number of signatures on a key. Not only does that punish people who really might have that many close acquaintences (which makes them valuable to the Web of Trust), but a key owner has no control over who slaps frivilous signatures on his public key without his consent. I assume that a lot of well-known net-celebrities each has least a couple non-consentual "new best friends" who went out and signed him alleged key because they met him once, and didn't verify his fingerprint because they still don't get the idea. I had a guy offer to sign my key without verifying my identity, and I'm nowhere near famous. (Needless to say, he's marked as a worthless signature in my trust database.)
On the Web of Trust: I've always understood that trusting a person's identity, and trusting their willingness to sign other keys correctly, were different issues. I think the real problem is that, since most PGP implementations (as far as I know) only allow for a public declaration of identity trust, not signing trust, the Web of Trust really only works if you assume that most people would only sign people they trust to treat other keys the same way. Unfortunately, that's not always going to be true. Even if you sign only the keys of people whose behavior you trust, it's a leap of faith to expect that people even 2 hops away will do the same. (Apparently there is a way to specify the "introducer" trust of the key in the OpenPGP spec, but I haven't seen that in use.)
On being an accessory by signing a key: If the government issues an ID card to someome they know is alcoholic, and that person uses the card to prove age, and thus to buy liquor, and then the person does something stupid because they're drunk, is the state responsible? This goes back to the topic of what a person's Web of Trust really is. Are you participating in a private clique (in which case you can at least declare that you expect a certain amount of discretion until the PGP implementations are more robust), or a mass public service? Under the current system, if you don't know, in general terms, who almost all of the people in a trust chain are, you have no reason to trust that the owner at the bottom of the signature chain is who they claim anyway.
Re:Six degrees of "I don't know these people." (Score:2, Interesting)
Inefficient and bad way for signing (Score:1)
This is a very inefficient way of signing and it does not provide you with the guarantee that the one you sign really is the person.
A much more efficient way is described on
http://ole.tange.dk/projekter/keysigning/ [tange.dk]