PGP Key Signing Event Of The Year

Meyer Wolfsheim writes "The registration page for CodeCon includes a field for attendees PGP keys. Apparently, the organizers are planning a massive group keysigning using the Zimmermann-Sassaman method. This could be a great way to increase your Web of Trust ranking." (Here's a previous mention of this year's CodeCon.)

Hmm

[Henry+V+.009]

Would be more useful if we all knew what we were supposed to look like. Now where did I put my fake Linus Torvalds driver's license?

Big circle jerk

[ObviousGuy]

Massive isn't the word that immediately comes to mind when looking at that sponsor/presenter list. Maybe a couple thousand people at most.

Back in the real world, companies are signing with Verisign. Where is the Verisign booth?

Re:Big circle jerk

Do you trust(tm) Verisign?

Web of Trust Slashdot Friends

[zulux]

Perhaps slashdot could tie the friend/foe system with the web-of-trust system. Just a thought.

The Zimmermann-Sassaman method

You say that like it's anything more than putting a bunch of keys in a text file.

Re:The Zimmermann-Sassaman method

[Jim+Efaw]

The main point is the text file has a checksum. They read off the checksum of that file at the beginning of the key signing; as long as the key owners have the same checksum, they can just say that their fingerprints match the ones on the list, instead of each one having to repeat his individual fingerprint.

Key Signing Party on FOSDEM

[root+66]

Next Sunday, there will be a key signing party at FOSDEM in Brussels, Belgium.

Until Friday you have the opportunity to send your key to the organizer of the key signing event; to the event you have to bring your I.D. card or passport as well as a print of your key's fingerprint.

looking for big fish to cross sign with

[Yonder+Way]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd like to cross-sign keys with some of the PGP "big kahunas". How hard is it to get one of them to sign your key? I tried asking ESR, because he lives relatively close to me, but I never got a response.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+PdfrYPuF4Zq9lvYRAkNAAKDEWv1yWVbBDR0u+//8 oc 4A0iJtaQCgkv/P
dxAdtu3cSRcoANVuO9tB/uE=
=Lea7
- ----END PGP SIGNATURE-----

Re:looking for big fish to cross sign with

[Isomer]

If you are interested in finding people to trade signatures with you might want to try http://www.biglumber.com They provide a list of people grouped by area who are interested in finding people to trade signatures. They also list 'events' where keysignings take place (eg: LUG meetings)

Of course you often find you need to get people *outside* your area to sign your key to make it any use. So if you're thinking of travel, it's probably an excellent place to go look for someone to trade signatures when you're out of town.

Re:looking for big fish to cross sign with

Well, ESR signed my key after I showed him how to use GnuPG. ;)

Actually, a number of the prominent figures in the PGP space came to CodeCon last year, including Jon Callas, Rodney Thayer, and Phil Zimmermann. Getting out to such events and meeting the people you want to have sign your key is the first step.

Six degrees of "I don't know these people."

[bsdbigot]

Personally, I think that this kind of large-scale key signing is antithetical to the purpose of signed keys. A Web of Trust means nothing if I know or trust nobody in that web. I mean, lets be realistic - there is a limit as to how far we will let our trust go in personal relationships - everyone has a friend of a friend that's into some questionable shite; my keys are signed by two of my closest friends, my father, and a guy that I've worked closely with for going on 6 years. You see, just meeting someone doesn't mean that you can attest to their character. In this case, you don't even have to meet these potentially thousands of people - how can you honestly say that any one of them could be trustworthy and responsible enough to deserve your signature?

On that note, I personally would be suspicious of anyone that had more than a dozen or so signings of his/her key.

My philosophy (using the friend of a friend model) is you're probably safe if you're within four degrees (inclusive) - that is, if you're getting messages/content/whatever from an entity that is only four degrees from you by signature, I think you're probably guaranteed to be in a trustworthy transaction, assuming that everyone practices responsible signing. And, isn't that the whole purpose?

Final word: Verisign is a different type of trust model - I don't purport to be addressing that model in my argument.

Re: Six degrees of "I don't know these people."

[Omniscient+Ferret]

The web of trust isn't meant to represent character references - it's not like the Slashdot friends and foes system. It's meant to work as an identification system, to verify that someone is who they claim to be. They may not be trustworthy, but to work with reputations online, you need persistent identities first, don't you?

Re: Six degrees of "I don't know these people."

[bsdbigot]

I dunno. You raise a good point. I'm actually fighting with myself on this very issue. I believe that they are implicitly related.

Take, for example, Saddam Hussein, to illustrate your point. Sure, I wouldn't mind telling people who he is (in fact, I make it a point in daily life these days to make sure that people know who he is, but that's a different thread), but by acting as an enabler for his transaction (I verified his identity), does that not make me somewhat liable? If my signing of his key put the person on the other side of his transaction over the threshold for continuing the transaction, am I not in the least bit responsible for the contents of the transaction? Theoretically, I would say no, but realistically, I would say yes.

So, by participating in this mass signing, can I really be sure that the people in control of the keys I sign are the people that they say they are? I certainly could not pick any of them out of a lineup. They may all be upstanding people with the highest morals and goals, but I will never sign a key for someone I don't personally know, and know well. By the same logic, I wouldn't want anyone that I don't know signing my key.

How about the eBay user feedback system as a trivial but similar situation? By giving someone good feedback, you are helping to establish that person as a credible entity to do business with. Good in theory, but there are cranks abound on eBay - let's say that I am a wholly disreputable seller, and I get some friends to "buy" a lot of merchandise from me, and to give good feedback. The sheer volume of good comments may convince my real targets to do business with me - I take their money and run. On the other hand, lets say I'm a good seller. eBay is my internet storefront, and I move lots of merchandise through there. People like me because I have good prices and great product, so I get good feedback. Any potential buyer should still be leary of me, unless he/she personally knows one or more of my commentators. The buyer has no other reliable method of establishing that I am not going to screw them in the transaction.

That is directly analagous to participating in this mass signing. It opens the doors for deception; whether or not deception occurs is irrelevant.

The simple act of identifying someone reflects on your character. I know that the people whose keys I've signed are very responsible about protecting their personal data. I know that they would never reveal their passphrase or leave their private keys available to compromise. They believe the same of me. This is the trust that we share, that allows us to act as a responsible second party identification system for each other.

At the end of the day, I being a party of a two-way PGP transaction, am trusting you, the signer of the other party's key, that the other party is who they say they are. I don't know you from Jack - and if you don't know the other party from Jack, then it is a breach of trust, not between me and my co-communicator, but between me and you. Should the other party end up to be not who they claim to be, you are at fault - you helped encourage me (by establishing that party's identity) to continue the transaction. That is a responsibility that I refuse to take on.

Sorry to ramble on, but it really did take this much thought to articulate my point.

Re:Six degrees of "I don't know these people."

[jarran]

By signing someone's key you are not declaring that you trust that person, only that you trust that they are who they say they are.

Re: Six degrees of "I don't know these people."

[Jim+Efaw]

First, I wouldn't be quick to judge someone unfavorably by the high number of signatures on a key. Not only does that punish people who really might have that many close acquaintences (which makes them valuable to the Web of Trust), but a key owner has no control over who slaps frivilous signatures on his public key without his consent. I assume that a lot of well-known net-celebrities each has least a couple non-consentual "new best friends" who went out and signed him alleged key because they met him once, and didn't verify his fingerprint because they still don't get the idea. I had a guy offer to sign my key without verifying my identity, and I'm nowhere near famous. (Needless to say, he's marked as a worthless signature in my trust database.)

On the Web of Trust: I've always understood that trusting a person's identity, and trusting their willingness to sign other keys correctly, were different issues. I think the real problem is that, since most PGP implementations (as far as I know) only allow for a public declaration of identity trust, not signing trust, the Web of Trust really only works if you assume that most people would only sign people they trust to treat other keys the same way. Unfortunately, that's not always going to be true. Even if you sign only the keys of people whose behavior you trust, it's a leap of faith to expect that people even 2 hops away will do the same. (Apparently there is a way to specify the "introducer" trust of the key in the OpenPGP spec, but I haven't seen that in use.)

On being an accessory by signing a key: If the government issues an ID card to someome they know is alcoholic, and that person uses the card to prove age, and thus to buy liquor, and then the person does something stupid because they're drunk, is the state responsible? This goes back to the topic of what a person's Web of Trust really is. Are you participating in a private clique (in which case you can at least declare that you expect a certain amount of discretion until the PGP implementations are more robust), or a mass public service? Under the current system, if you don't know, in general terms, who almost all of the people in a trust chain are, you have no reason to trust that the owner at the bottom of the signature chain is who they claim anyway.

Inefficient and bad way for signing

[AnteTempore]

I am very surprised after reading http://sion.quickie.net/keysigning.txt
This is a very inefficient way of signing and it does not provide you with the guarantee that the one you sign really is the person.

A much more efficient way is described on
http://ole.tange.dk/projekter/keysigning/