Slashdot Mirror

← Back to Stories (view on slashdot.org)

Organizing Large Key-Signing Events?

Posted by Cliff on from the keeping-the-trust-chain-intact dept.

FooBarBaz asks: "I'll probably be organizing a quite large (read ~ 300+ people) PGP/GnuPG-Key-Signing-Event. Everyone suspiciously eyeing each others ID and reading fingerprints to everyone else is quite out of the question with such numbers. How would you organize something like that and still be able to select 'I have checked very carefully' when GPG asks?"

3 of 31 comments (clear)

  1. ID by Komarosu · · Score: 3, Informative

    get all the attendees to bring ID in 3 forms. Utility Bill, Photo ID (passport/driving license), and a Cashcard/Bank statment. These 3 forms of ID will get you pritty much anything in the UK, from loans to mobile phone contracts.

    --

    "What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks
  2. Re:huh? by Anonymous Coward · · Score: 2, Informative

    Some problems can only be avoided by or are much less of a problem after direct contact: Keys are associated with names, not human beings. To make the latter association, you have to verify that the name belongs to the person. This needs to be done to avoid impersonations ("identity theft"). Man-in-the-middle attacks can only be avoided if some information is exchanged, which is guaranteed to be untampered. Listening in is ok with public key systems, but if someone can present their keys in place of someone elses and you don't notice, the man in the middle can read and modify everything. The only safe way to verify the name-person relation is to meet in person. The PGP web of trust is a mechanism to reduce the amount of work which participants need to put into meeting eachother by delegating trust. It is not meant to avoid this step altogether. Meeting in person may also give you a better idea of the trustworthyness of the other person. You may want to differentiate between trusting the other person's key validity and your trust in the other person's ability to verify and reliably sign other people's keys.

  3. Verify the email addresses as well by Fluffy+the+Cat · · Score: 3, Informative

    1) Get everyone to mail their fingerprints to the organiser beforehand
    2) Set aside some time for verification. Get a big projector
    3) Get people to come up one by one, show their id and verify that their fingerprint is correct
    4) Remind everyone to check that the email addresses on the key are actually owned by the person owning the key (use that key to encrypt a message to each address with a unique cookie in. Ask the recipient to send it back to you either unencrypted or encrypted with your key).

    The last step is important, since otherwise I can claim to be billg@microsoft.com and you signing my key states that you believe me to be billg@microsoft.com. I can then send mail signed with that key, and people within your web of trust will get a message saying that there's a valid signature and that the sender is believed to be billg@microsoft.com.

    It really is important to verify all the information in the key, not just the name of the person.