OpenPGP Meetup

An anonymous reader writes "Please mention the upcoming OpenPGP meetups, http://openpgp.meetup.com/. getting crypto out there into the mainstream is the only defence we have from outside interference." Consider it mentioned. I don't really know how getting together at local bar or whatever brings crypto "into the mainstream", but maybe you can sign the bartender's key or something.

Aka "Pgp Key signing party"

[hrarbinger]

Although the web page is sparse on details (I might go so far as to say completely devoid) this isn't a bad idea. Getting folks together to develop a web of trust is the whole point of the PGP model. The more people who have signed your key, the more likely you and someone you don't know will have a common person that you both do know who has signed your keys. Without ever directly meeting them, you can put your trust in the common associate and send encrypted messages or verify digital signatures.

The problem is doing PGP signing the right way. I really suggest anyone attending one of these events take a look at web pages that describe "PGP Key Signing Parties" (just google, you'll find a bunch) to get the idea. In brief, to be absolutely sure that you trust a key belongs to someone, you need to verify the following:

1. The key ID (2BCA871D for example)
2. The key type (DSA, RSA, etc)
3. The key bits (768, 1024, 2048)
4. The key fingerprint (A028 82B4 14CC ...)

Any one of these items can be forged while maintaining the others, so you need to verify them all.

Now, the hard part is how do you verify that this human who has brought these bits of data is the actual human associated with the key? You can check their driver's license and things like that. But of course this is where it's much better to only sign keys of people you know, rather than just total strangers.