Slashdot Mirror

← Back to Stories (view on slashdot.org)

Organizing Large Key-Signing Events?

Posted by Cliff on from the keeping-the-trust-chain-intact dept.

FooBarBaz asks: "I'll probably be organizing a quite large (read ~ 300+ people) PGP/GnuPG-Key-Signing-Event. Everyone suspiciously eyeing each others ID and reading fingerprints to everyone else is quite out of the question with such numbers. How would you organize something like that and still be able to select 'I have checked very carefully' when GPG asks?"

4 of 31 comments (clear)

  1. Re:ID by WIAKywbfatw · · Score: 5, Insightful

    get all the attendees to bring ID in 3 forms. Utility Bill, Photo ID (passport/driving license), and a Cashcard/Bank statment. These 3 forms of ID will get you pritty much anything in the UK, from loans to mobile phone contracts.

    The odds are that the original questionner (Ask Slashdotter?) is American - only 5% of Americans own passports but, fortunately, most do have driving licenses that have a photograph on them. However, getting hold of a fake driving license is no problem in the US, and while a Texan might have no problem recognising a fake Texas license, s/he'll probably struggle to tell whether the license from Vermont that they've been presented with is the real mccoy.

    Utility bills are useful - until you realise that only one, maybe two, of the occupants in the average household will be responsible for paying the bills. Which means you're probably shit out of luck if you live with family, friends or are at college.

    Bank statements are also a mixed blessing. In the US, it's not uncommon for older kids (16+) to be issued with a credit card that's on their parents account. If you're a college student and this is you, then you probably never see a statement, and even if you do it's going to have one of your parents name on it not yours.

    Bottom line is this: try to be a little bit flexible when asking for identification. Not everyone has the same life, with the same neatly pigeon-holed pieces of paper.

    --

    "Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
  2. Maybe your event isn't such a good idea afterall. by Lauritz · · Score: 5, Insightful

    If you can't check, you shouldn't trust. By trying to bypass some of the checks, you bypass your own security and the security of those who trust you.

  3. Re:Authencators by Anonymous Coward · · Score: 1, Insightful

    You're trying to collapse one link in the web of trust for no reason: If every key is signed by the central authenticator all you need to (and should) do is evaluate your trust relation with the authenticator. The software will then figure out how much you trust the keys signed by the authenticator depending on the two trust relations you-authenticator and authenticator-thirdparty.

  4. Webs of trust by pete-classic · · Score: 3, Insightful

    I'm no expert, but I thought that part of the idea was that people sign the keys of people they actually know. This forms an interlocking verification -- a web of trust.

    It sounds like you are trying to build a "monolith of trust." Maybe you are having trouble because your idea goes against the grain.

    -Peter