Hi Jerome
First let me say my knowledge about these stuffs is very very basic, so
please correct me if I am wrong.
I was surprised by you saying that you need to know and trust people
personally before signing their key.
By signing a key you are not saying "I trust this person", you are saying
"I know that this key belongs to this person". So that you know you are
communicating with them and not somebody else.
That is my belief anyway. If people are using the WoT as proof that someone
is nice, that they aren't a cop, or anything like that, then I think (in my
very humble opinion) they are making a mistake.
On the other hand, I suppose you need to trust that they won't give their
key to someone else (by choice, coercion or through insecure practices) so
maybe you have a point.
Naomi
On Tue, 26 Apr 2016 14:13 Kate Dawson, <k4t@???> wrote:
> Hi,
>
> I am of the opinion that a keysigning, and building the Web of Trust is an
> important piece of Tech activism that allows people to cryptographically
> validate
> and authenticate communications endpoints, without having to resort to a
> central authority.
>
> This allows various projects and organisations to perform some level of
> validation of identity across geographically large distances. For
> example Debian.
>
> For me, It's really unlikely that I will ever travel to the USA, however
> by keysigning, getting my key into the Web of Trust, I am able to have
> secure communications with people in the USA, with some reasonable
> assurances that those communications have certain properties of
> confidentiality, integrity and authenticity.
>
> Now I know it's not fashionable to use OpenPGP, and all the cool kids
> are using Slack to chat and Github for ID, however I've never been one for
> fashion. This is a technology that works for me, and has done for a
> decade or more. Getting signatures on a key strengthens it's validity,
> increases the connectedness of the WoT, and build a fault tolerant
> decentralized mechanism to bootstrap the "key exchange problem"
>
> Now, I know, someone will then announce that the WoT is a datamining,
> network mapping, spy system, to gather the whereabouts of all crypto
> geeks on the planet. That maybe! At least it's not monetized like the
> other network mapping data mining systems we happily give our data to on
> a daily basis. Additionally there are technical solutions to these
> problems. It's possible to use a "Local" signing feature of GnuPG. These
> signatures are not able to be exported to keyservers, preventing the
> visibility of signing to a 3rd party.
>
> Additionally the point about "trust" raised below, is a common
> misconception. It's not "trust" as in "do I trust you to repay a loan of
> 5€ to me" - but do I trust that you are the holder of a piece of
> cryptographic keying material associated with a communications endpoint.
>
>
> For maximum efficiency, the keysigning will use a modified
> Zimmermann–Sassaman key-signing protocol:
>
> http://www.cryptnet.net/mirrors/docs/zimmermann-sassaman.txt
>
>
> Participants will enter their public key fingerprints into an online
> document
>
> For example, ( but we may decide to not use this particular pad on the
> day )
> https://pad.riseup.net/p/squatconf.eu-2016-keysigning
>
> After a certain time the document will be locked, and downloaded by
> participants.
> The sha256 of the document will be compared and checked
> amongst participants.
> They party facilitator will read out the fingerprints to the
> participants, who will confirm that they are correct.
>
> Participants will take their copy of the document and sign only those
> verified keys at a later date.
>
> In my experiences this has been a working and usable technique make
> signing work well. Yes its a bit of a chore, and no, it's not as fun as
> sitting and listening to someone explaining the latest cool programming
> framework, but it's a real practical activity that makes the world a
> better place.
>
>
> Regards,
>
> Kate
>
> On Tue, Apr 26, 2016 at 10:54:38AM +0200, Jérôme Loï wrote:
> > Hi there Kate,
> > yes cfp is closed, and schedule is actually quite packed yet.
> >
> > about key signing party, thanks for raising the question. from this
> moment i’ll talk on my behalf and not as an organiser.
> >
> > I believe that trust comes form human to human interaction in a longer
> scale than a 2 day event, hence key signing party does not allow me to
> build the trust i would require to endorse someone.
> >
> > I usually sign key of ppl i KNOW, not ppl i just met, so imo, this does
> not deserve “dedicated” time.
> >
> > Still now that the subject is on the table, I’m waiting for the
> discutions this mail will probably raise and stay open for argument that
> would switch my mind, or make most of the org to disagree with me.
> >
> > Regards
> > Jérome
> >
> >
> > > On 25 Apr 2016, at 23:58, Kate Dawson <k4t@???> wrote:
> > >
> > > I note that the CFP has closed.
> > > But there is not Keysigning party
> > >
> > > Is there opportunity to get such a thing still on the timetable ?
> > >
> > > Regards,
> > > Kate
> > > --
> > > "The introduction of a coordinate system to geometry is an act of
> violence"
> > > _______________________________________________
> > > Squatconf mailing list
> > > Squatconf@???
> > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/squatconf
> >
> > _______________________________________________
> > Squatconf mailing list
> > Squatconf@???
> > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/squatconf
>
> --
> "The introduction of a coordinate system to geometry is an act of violence"
> _______________________________________________
> Squatconf mailing list
> Squatconf@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/squatconf
>
::
Re: [Squatconf] Keysigning Party
