Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenPGP Meetup

Posted by michael on from the key-signing dept.

An anonymous reader writes "Please mention the upcoming OpenPGP meetups, http://openpgp.meetup.com/. getting crypto out there into the mainstream is the only defence we have from outside interference." Consider it mentioned. I don't really know how getting together at local bar or whatever brings crypto "into the mainstream", but maybe you can sign the bartender's key or something.

24 comments

  1. Mainstream crypto by 0x0d0a · · Score: 1

    I don't really know how getting together at local bar or whatever brings crypto "into the mainstream", but maybe you can sign the bartender's key or something.

    Umm...network effects from keysignings, which (to be technically accurate) require in-person identity verification?

    I never really went out for that much effort. If I've emailed a person back and forth a few times, and their email address is on their web page, I pretty happily sign their key. PGP should be *useful*, not an anchor around one's neck.

    --
    May we never see th
    1. Re:Mainstream crypto by Nicolai+Haehnle · · Score: 1

      This brings up an interesting issue. As far as I can tell, key signing is only useful for connecting an electronic identity (the PGP key) with a physical identity (the actual person involved).

      When one's working a lot with people from all over the globe via the internet, and you're never going to meet most of them, you can't really make this connection. However, there could be other useful connections to make.
      For example, once I've emailed with the creator of software Foo a number of times, I do know that he really is the creator of that software, but I have no idea whether he's using his real name in the mail exchange.
      It would be useful if I could create a signature that says "yep, he created software Foo" without saying "yep, he's really ".

    2. Re:Mainstream crypto by 0x0d0a · · Score: 1

      No real reason you have to link a real life name to a PGP key.

      Just an email address...that's all you really need.

      For example, Red Hat signs their RPMs with a GPG key that isn't used for sending mail or anything else.

      --
      May we never see th
  2. Hello drunk person by stefanlasiewski · · Score: 1

    Hello Drunk Person, I am also drunk.

    Sure, I didn't know you 3 hours ago, but after a few rounds, I'll sign your key right away!

    --
    "Can of worms? The can is open... the worms are everywhere."
    1. Re:Hello drunk person by Anonymous Coward · · Score: 0

      I don't know about you but my local bartender knows my name, people I hang out with and what we all normally drink. Hmm... maybe I ought to try to get out less.

    2. Re: Hello drunk person by blinka · · Score: 1

      Hopefully this should not be a problem. If you're drunk enough to be willing to sign someone's key without properly verifying everything, then you're probably too drunk to type your passphrase. You're certainly too drunk to read the 'gpg -h' output and remember what the command line switches are. You're more likely to end up signing a copy of some sensitive file and sending out to all your friends.

  3. So can someone explain these things? by stefanlasiewski · · Score: 2, Informative

    If there is one reason where Crypto-folks have failed, it's in explaining why key-signing is important to non-Crypto-folks. My friend signs the key of some stranger he met at Starbucks in Alameda. Why should I care?

    I've had a PGP key for about 8 years, and it's been used by others to send a sekret mezage to me less then a dozen times. Off of the top of my head , I can think of dozens of people who have a Key, and only 1 other person who does have a key.

    Why is this important? Why should I care?

    --
    "Can of worms? The can is open... the worms are everywhere."
    1. Re:So can someone explain these things? by Yonder+Way · · Score: 1

      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      High level overview here.

      E-mail sent via SMTP is the electronic equivilant of a postcard. Anyone handling the message en-route can read it in clear text. But because it is digital, the likelihood of it being read by at *least* a 'bot (like Carnivore) is quite high.

      The other major problem with e-mail is accountability; how do I know who this message *really* came from?

      OpenPGP implementations like PGP and GnuPG address both of these issues.

      You can encrypt a message to make sure only the intended recipient can open it. If regular email is a post card, encrypted email is more like a courier delivered parcel with a lock on it that only the recipient has a key for.

      These programs also allow a sender to digitally sign messages in such a way that you can authenticate that a message is from the person that they claim to be.

      But how do you know that the signature is valid? The Internet is a global community, and the people you get email from are from all over the world. I have never personally met the guy that maintains security patches for my favorite Linux distro, but a lot of other people have. They went through the trouble of looking at his drivers license or passport and then signing his key to vouch for his identity with their own key. There is a chain, or rather a web, of trust extending from me to the guy that signs those security updates. The more direct the link between me and the other guy, the more likely I can trust the message is legit. Or the more people that *I* trust that trust someone else, the more I can trust that third party.

      Your own messages become more trustworthy if lots of people sign your key. Likewise, you're going to have more direct paths to other people around the Internet if you cross-sign with other OpenPGP users often.

      It's especially important to do this when you travel, as the web of trust tends to have concentrated regional pockets and really needs links between regional webs to tie them together.

      That said, I'm often available to sign keys in the suburbs of Philadelphia.
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.2.1 (Darwin)

      iEYEARECAAYFAj6XU5YACgkQYPuF4Zq9lvZDBACdE8Yew9Au Kx 8pTaFKi2VkxRnW
      lrMAoLykn6/e/XnmpYIyKAwK9u7/o8wP
      =0gkI
      -----END PGP SIGNATURE-----

    2. Re:So can someone explain these things? by Feztaa · · Score: 1

      Why is this important? Why should I care?

      A plaintext email can easily be read by anybody who wants to read it, and emails aren't at all hard to spoof, either. PGP provides a way of verifying that the email you are reading was in fact written by the person who claims to have written it (assuming it's signed and you trust their key), and that nobody else read it inbetween his writing it and your reading it (assuming it's encrypted).

      Sure, it might not matter much to you if John Q. Hax0r reads your correspondence with your mother, but for some people, it's very, very important to ensure that privacy is maintained. Politics and big business come to mind (two corrupt business men would want to keep their corporate crimes a secret, so they'd naturally encrypt their emails to each other -- ok, bad example...). It's surprising how few people have actually adopted this, though.

      A better example would be, never ever ever install a piece of software unless it's PGP signature verifies properly, and you trust that the key used to sign it is valid. If not, then it could very easily be trojaned or tampered with in some other way. Unfortunately, not all developers sign their work.

      In an ideal world, all email would be encrypted & signed, then you wouldn't have to worry so much about your online privacy :)

    3. Re:So can someone explain these things? by stefanlasiewski · · Score: 1

      Unfortunately, not all developers sign their work

      And alot provide an md5 signature instead.

      So much encryption, so little time.

      --
      "Can of worms? The can is open... the worms are everywhere."
  4. I can see it now... by CustomFort · · Score: 3, Funny

    Me: Hey barkeep, pour me a
    -----BEGIN PGP MESSAGE----- Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com qANQR1DBwU4Dycxpn5YWMKIQB/4jcQBenjBJUnUCg4BX7mSmJv fxGmKk4DaBoYCT mYyN2Psw/BF/vzodvEzX+BpbdFuhnDd4p5QQ0G9JMWlkAkmVPQ ZX4TWKN4Lmdpm7 Eu6x6tWRC+nSJze7+NfxX8mx/TyuhNKMucqEIfxut795ehc4Dz CBKqUsedWAa4XZ 1/T2mrLjCf5lhP4g26fFnXZvm2ME4SY3UM+HHAQmXABnuq5058 1owfCYfgXgc9Iu jRdlzhC/2VCHXgoy9e7FIquycedSyZWWTC4TI0YFbNJ0CW1L8e JF1AXwdzziWqsD KOu6Dkc6LGp9NEQTE4rCT95PNBvA8h2CvpS+nyW8dCYiyliMB/ 961qqP5+txodPM 8mpq3ZsOpZJ851BXjCfUsv5JcFa7eYQ/qdYnCw01fjcl2yPuWW Di+rgOCrZGCDyQ NX+2/X7evJZXKfX2EceHS0jX7LEQYY+jJ1QQS/NxL8DQOm+CKj 1STaj9zFlZiecF a6/XVCJn44pxbus0+deCH4tutBSZIMfZECYcPGPnSNG/dSRg/D uI73zlLW/Rq0w8 KnF6vvOibrodT7caa//ZSfQpcqUf5YAdncPTi02P+rS92ajQu6 j2q8SFh6HLI45R iK08HZNoy0ERg/Iy+L+AXn1Nvzs6PfrMEuV1LHQsIfi46Uoecs TZFqWOAcUKJ61h Esw0WHdsySjhQlfzNB4g8+Tp/m36kr7D3UdJi4nc/BYf8rwmen RX8k+tXXpcEjrb =m8C5 -----END PGP MESSAGE-----

    BarKeep: That'll be
    -----BEGIN PGP MESSAGE----- Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com qANQR1DBwU4Dycxpn5YWMKIQB/4hSvhixkEZ+CYj4Ow+8fK+D4 EpBEqRFdiL09S6 XFVufOEDllOtctm4M/E7g2fu7znPc25b1sSNwOsMofcyXvQ5Sj PV7oo3Q4kEA+rz +dVt260nxrXQjxuSsl6kx6rxdoPii+jMyv7PH/ZDluDwOFDQB+ efs9NdYuwUnBB7 yBj6/9Fu+16uAQuY+Dnlia6kub9XNVGuH3dlgvYnDmT1Lk22a4 eKara0HBd4ZEV4 d3ObqK2uXjQfyvKbxQaIP3aNEFu/dpwkmKueIS7bW4YVeZpllb xFms2ORwKUpU8Z 5zEQnwax9KI9NFhQbMgiQzrYdUEi7GTtKdo0NIwGo04bhBsRB/ wIvYheeDy0JSvP 1swLLDVNzChvSwfJUoNZJPopJaA5VNx6S5gb5xZBy7krieCru+ Ll/FDHAUL08c2c ebURo1TYIK18jLxgXqdn0dVreNy1wdHOjEQcdo/eYY/2W6Z5SS yyUOrDUU+mO5RS yBrHo42JT/nlh+r5Ylq+KUeuvkZBamO1ITAVpuByrTFQsIShxB PdsWettSmjeM4v RabkYNO05GLxPI1DCPJrApDu1741ilKXj1FmqxKFzvPn+YypaY B7nNIzLyhAduiK H9I1gklvDmH3Ht/7OeZo4gGe7xO+K7AHz9oUdaKo/gC5do8eLe ExY8Nihx+ct02L u7+e5GOxySWpPzHvDd8rOcB2u566WlbYMcb5t/i6735sHRWjTt O9NoY0NOx2 =g4ea -----END PGP MESSAGE-----

  5. How does one revoke a PGP key from keyservers? by Anonymous Coward · · Score: 0

    Somewhat off-topic question, but maybe someone here knows how... who do I contact to get a PGP key removed from the world's keyservers? I'd really like to wipe my old ones (both of them) out of existence and start fresh. I haven't seen anything on this topic (but maybe I just haven't done enough research).

    Thanks in advance to anyone who knows...

    1. Re:How does one revoke a PGP key from keyservers? by greck · · Score: 1

      You need to create and distribute a revocation certificate... the docs for your PGP tool should tell you exactly how. See section 7 of the comp.security.pgp faq for general details.

  6. Aka "Pgp Key signing party" by hrarbinger · · Score: 3, Interesting
    Although the web page is sparse on details (I might go so far as to say completely devoid) this isn't a bad idea. Getting folks together to develop a web of trust is the whole point of the PGP model. The more people who have signed your key, the more likely you and someone you don't know will have a common person that you both do know who has signed your keys. Without ever directly meeting them, you can put your trust in the common associate and send encrypted messages or verify digital signatures.

    The problem is doing PGP signing the right way. I really suggest anyone attending one of these events take a look at web pages that describe "PGP Key Signing Parties" (just google, you'll find a bunch) to get the idea. In brief, to be absolutely sure that you trust a key belongs to someone, you need to verify the following:

    1. The key ID (2BCA871D for example)
    2. The key type (DSA, RSA, etc)
    3. The key bits (768, 1024, 2048)
    4. The key fingerprint (A028 82B4 14CC ...)
    Any one of these items can be forged while maintaining the others, so you need to verify them all.

    Now, the hard part is how do you verify that this human who has brought these bits of data is the actual human associated with the key? You can check their driver's license and things like that. But of course this is where it's much better to only sign keys of people you know, rather than just total strangers.

    1. Re:Aka "Pgp Key signing party" by 42forty-two42 · · Score: 1

      The key ID is the last 8 hex digits of the fingerprint, so you don't need to verify that.

  7. Terms of service for beer? by mcelrath · · Score: 2, Informative
    Don't bother kids. Only 56 people worldwide have signed up, and you have to agree to a 30-odd page "Terms of Service" to figure out where and when. That's just fucking ridiculous. I don't need a stupid terms of service to buy a beer with some crypto geeks.

    You'd think with all the talent out there someone would have written a quick CGI to do this, rather than using a commercial service (meetup.com).

    -- Bob

    --
    1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
    1. Re:Terms of service for beer? by Anonymous Coward · · Score: 0

      Oh yes. Capitalism bad. Grunt, grunt.

    2. Re:Terms of service for beer? by Omniscient+Ferret · · Score: 1

      You'd think with all the talent out there someone would have written a quick CGI to do this...

      Biglumber has. It currently has 498 people listed.

    3. Re:Terms of service for beer? by Feztaa · · Score: 1

      You'd think with all the talent out there someone would have written a quick CGI to do this, rather than using a commercial service (meetup.com).

      Well, there is Biglumber, which I rather like; it's just a shame that they didn't use it.

  8. How about with lost keys? by Anonymous Coward · · Score: 0

    Erm... what if I've lost my old keys?

    1. Re:How about with lost keys? by 0x0d0a · · Score: 1

      I hope you had an expiry date on the certificates. That's what it's there for.

      --
      May we never see th
  9. encryption won't be mainstream until... by Anonymous Coward · · Score: 0

    the GPG folks get off their high horses and realize that graphical user interfaces are the key to gaining a large audience.

    In particular, this means support on Windows, esp: hacking support into Outlook Express, and possibly creating a utility to automatically encrypt the contents of an email "form" in your webbrowser (such as someone using Hotmail via the web).

    Users won't stand for cutting and pasting and running command line utilities. As long as that is the requirement, utilities like GPG will only be used by the technically savvy, and even then, won't be used for every email - just the so-called important ones.