Slashdot Mirror

← Back to Stories (view on slashdot.org)

Organizing Large Key-Signing Events?

Posted by Cliff on from the keeping-the-trust-chain-intact dept.

FooBarBaz asks: "I'll probably be organizing a quite large (read ~ 300+ people) PGP/GnuPG-Key-Signing-Event. Everyone suspiciously eyeing each others ID and reading fingerprints to everyone else is quite out of the question with such numbers. How would you organize something like that and still be able to select 'I have checked very carefully' when GPG asks?"

7 of 31 comments (clear)

  1. ID by Komarosu · · Score: 3, Informative

    get all the attendees to bring ID in 3 forms. Utility Bill, Photo ID (passport/driving license), and a Cashcard/Bank statment. These 3 forms of ID will get you pritty much anything in the UK, from loans to mobile phone contracts.

    --

    "What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks
    1. Re:ID by WIAKywbfatw · · Score: 5, Insightful

      get all the attendees to bring ID in 3 forms. Utility Bill, Photo ID (passport/driving license), and a Cashcard/Bank statment. These 3 forms of ID will get you pritty much anything in the UK, from loans to mobile phone contracts.

      The odds are that the original questionner (Ask Slashdotter?) is American - only 5% of Americans own passports but, fortunately, most do have driving licenses that have a photograph on them. However, getting hold of a fake driving license is no problem in the US, and while a Texan might have no problem recognising a fake Texas license, s/he'll probably struggle to tell whether the license from Vermont that they've been presented with is the real mccoy.

      Utility bills are useful - until you realise that only one, maybe two, of the occupants in the average household will be responsible for paying the bills. Which means you're probably shit out of luck if you live with family, friends or are at college.

      Bank statements are also a mixed blessing. In the US, it's not uncommon for older kids (16+) to be issued with a credit card that's on their parents account. If you're a college student and this is you, then you probably never see a statement, and even if you do it's going to have one of your parents name on it not yours.

      Bottom line is this: try to be a little bit flexible when asking for identification. Not everyone has the same life, with the same neatly pigeon-holed pieces of paper.

      --

      "Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
  2. Maybe your event isn't such a good idea afterall. by Lauritz · · Score: 5, Insightful

    If you can't check, you shouldn't trust. By trying to bypass some of the checks, you bypass your own security and the security of those who trust you.

  3. Verify the email addresses as well by Fluffy+the+Cat · · Score: 3, Informative

    1) Get everyone to mail their fingerprints to the organiser beforehand
    2) Set aside some time for verification. Get a big projector
    3) Get people to come up one by one, show their id and verify that their fingerprint is correct
    4) Remind everyone to check that the email addresses on the key are actually owned by the person owning the key (use that key to encrypt a message to each address with a unique cookie in. Ask the recipient to send it back to you either unencrypted or encrypted with your key).

    The last step is important, since otherwise I can claim to be billg@microsoft.com and you signing my key states that you believe me to be billg@microsoft.com. I can then send mail signed with that key, and people within your web of trust will get a message saying that there's a valid signature and that the sender is believed to be billg@microsoft.com.

    It really is important to verify all the information in the key, not just the name of the person.

  4. Webs of trust by pete-classic · · Score: 3, Insightful

    I'm no expert, but I thought that part of the idea was that people sign the keys of people they actually know. This forms an interlocking verification -- a web of trust.

    It sounds like you are trying to build a "monolith of trust." Maybe you are having trouble because your idea goes against the grain.

    -Peter

  5. Easy by rweir · · Score: 3, Interesting

    Just get everyone to come along with 50-odd copies of their fingerprint/address/etc. Everyone can wander around, introducing themselves to each other and exchanging fingerprints. Why not combine the practical with the social? Lord knows the type of people who go along to key-signing parties need all the help they can get:)

  6. Start Here by 4of12 · · Score: 3, Funny

    here.

    But you're right, there ought to be a little bit more granularity in the trust specfications.

    [Reminds me of when my brother in law sent me a Power of Attorney so I could act in his behalf for his minor son.

    I didn't tell him that I was thereby enabled to do a lot financial transactions on his behalf, sell his house, etc.]

    They need a few more questions, like:

    "I'd trust Alice with a loaded gun pointed at me after she's had 8 drinks and I rear-ended her new car."
    --
    "Provided by the management for your protection."