Slashdot Mirror
PGP Key Signing Event Of The Year
Meyer Wolfsheim writes "The registration page for CodeCon includes a field for attendees PGP keys. Apparently, the organizers are planning a massive group keysigning using the Zimmermann-Sassaman method. This could be a great way to increase your Web of Trust ranking." (Here's a previous mention of this year's CodeCon.)
Massive isn't the word that immediately comes to mind when looking at that sponsor/presenter list. Maybe a couple thousand people at most.
Back in the real world, companies are signing with Verisign. Where is the Verisign booth?
I have been pwned because my
I dunno. You raise a good point. I'm actually fighting with myself on this very issue. I believe that they are implicitly related.
Take, for example, Saddam Hussein, to illustrate your point. Sure, I wouldn't mind telling people who he is (in fact, I make it a point in daily life these days to make sure that people know who he is, but that's a different thread), but by acting as an enabler for his transaction (I verified his identity), does that not make me somewhat liable? If my signing of his key put the person on the other side of his transaction over the threshold for continuing the transaction, am I not in the least bit responsible for the contents of the transaction? Theoretically, I would say no, but realistically, I would say yes.
So, by participating in this mass signing, can I really be sure that the people in control of the keys I sign are the people that they say they are? I certainly could not pick any of them out of a lineup. They may all be upstanding people with the highest morals and goals, but I will never sign a key for someone I don't personally know, and know well. By the same logic, I wouldn't want anyone that I don't know signing my key.
How about the eBay user feedback system as a trivial but similar situation? By giving someone good feedback, you are helping to establish that person as a credible entity to do business with. Good in theory, but there are cranks abound on eBay - let's say that I am a wholly disreputable seller, and I get some friends to "buy" a lot of merchandise from me, and to give good feedback. The sheer volume of good comments may convince my real targets to do business with me - I take their money and run. On the other hand, lets say I'm a good seller. eBay is my internet storefront, and I move lots of merchandise through there. People like me because I have good prices and great product, so I get good feedback. Any potential buyer should still be leary of me, unless he/she personally knows one or more of my commentators. The buyer has no other reliable method of establishing that I am not going to screw them in the transaction.
That is directly analagous to participating in this mass signing. It opens the doors for deception; whether or not deception occurs is irrelevant.
The simple act of identifying someone reflects on your character. I know that the people whose keys I've signed are very responsible about protecting their personal data. I know that they would never reveal their passphrase or leave their private keys available to compromise. They believe the same of me. This is the trust that we share, that allows us to act as a responsible second party identification system for each other.
At the end of the day, I being a party of a two-way PGP transaction, am trusting you, the signer of the other party's key, that the other party is who they say they are. I don't know you from Jack - and if you don't know the other party from Jack, then it is a breach of trust, not between me and my co-communicator, but between me and you. Should the other party end up to be not who they claim to be, you are at fault - you helped encourage me (by establishing that party's identity) to continue the transaction. That is a responsibility that I refuse to take on.
Sorry to ramble on, but it really did take this much thought to articulate my point.
main(){char I,l,O[]={'-',1-1,0,(1<<5)-1,0+'-',-10-1,-10,11-0,
First, I wouldn't be quick to judge someone unfavorably by the high number of signatures on a key. Not only does that punish people who really might have that many close acquaintences (which makes them valuable to the Web of Trust), but a key owner has no control over who slaps frivilous signatures on his public key without his consent. I assume that a lot of well-known net-celebrities each has least a couple non-consentual "new best friends" who went out and signed him alleged key because they met him once, and didn't verify his fingerprint because they still don't get the idea. I had a guy offer to sign my key without verifying my identity, and I'm nowhere near famous. (Needless to say, he's marked as a worthless signature in my trust database.)
On the Web of Trust: I've always understood that trusting a person's identity, and trusting their willingness to sign other keys correctly, were different issues. I think the real problem is that, since most PGP implementations (as far as I know) only allow for a public declaration of identity trust, not signing trust, the Web of Trust really only works if you assume that most people would only sign people they trust to treat other keys the same way. Unfortunately, that's not always going to be true. Even if you sign only the keys of people whose behavior you trust, it's a leap of faith to expect that people even 2 hops away will do the same. (Apparently there is a way to specify the "introducer" trust of the key in the OpenPGP spec, but I haven't seen that in use.)
On being an accessory by signing a key: If the government issues an ID card to someome they know is alcoholic, and that person uses the card to prove age, and thus to buy liquor, and then the person does something stupid because they're drunk, is the state responsible? This goes back to the topic of what a person's Web of Trust really is. Are you participating in a private clique (in which case you can at least declare that you expect a certain amount of discretion until the PGP implementations are more robust), or a mass public service? Under the current system, if you don't know, in general terms, who almost all of the people in a trust chain are, you have no reason to trust that the owner at the bottom of the signature chain is who they claim anyway.