:: Re: [Squatconf] Keysigning Party
Góra strony
Delete this message
Reply to this message
Autor: holger krekel
Data:  
Dla: squatconf
Temat: Re: [Squatconf] Keysigning Party
Hi Kate,

On Tue, Apr 26, 2016 at 12:13 +0100, Kate Dawson wrote:
> Hi,
>
> I am of the opinion that a keysigning, and building the Web of Trust is an
> important piece of Tech activism that allows people to cryptographically validate
> and authenticate communications endpoints, without having to resort to a
> central authority.
>
> This allows various projects and organisations to perform some level of
> validation of identity across geographically large distances. For
> example Debian.
>
> For me, It's really unlikely that I will ever travel to the USA, however
> by keysigning, getting my key into the Web of Trust, I am able to have
> secure communications with people in the USA, with some reasonable
> assurances that those communications have certain properties of
> confidentiality, integrity and authenticity.


good points to which i agree.

> Now I know it's not fashionable to use OpenPGP, and all the cool kids
> are using Slack to chat and Github for ID, however I've never been one for
> fashion. This is a technology that works for me, and has done for a
> decade or more. Getting signatures on a key strengthens it's validity,
> increases the connectedness of the WoT, and build a fault tolerant
> decentralized mechanism to bootstrap the "key exchange problem"


ASFAIK Jerome and many others in this MLs context are using and
supporting GPG. I certainly am. it's one thing i intend to talk about
friday morning actually in the decentralized networking session.

> Now, I know, someone will then announce that the WoT is a datamining,
> network mapping, spy system, to gather the whereabouts of all crypto
> geeks on the planet. That maybe! At least it's not monetized like the
> other network mapping data mining systems we happily give our data to on
> a daily basis. Additionally there are technical solutions to these
> problems. It's possible to use a "Local" signing feature of GnuPG. These
> signatures are not able to be exported to keyservers, preventing the
> visibility of signing to a 3rd party.


Also from what you describe below i am not sure i am up to date on
current keysigning "party" practises. Last time i attended one
people insisted on seeing an ID/passport for signing my key.
is this still the case?

This practise i consider kind of decentralized policing. For me it's
enough to associate a physical someone with an email and public key.
I don't care what kind of government numbers that person has.

And to be honest i most often use and advocate trust on first use (TOFU) --
and then, if it becomes more important, verify by other channels, including
personal meetups, cross-signatures. Staging MITM attacks on TOFU is
possible but hard to do undetected on a mass scale.

Advocating TOFU doesn't speak against furthering the Web-of-Trust. For
me, it's not an either-or. But people can start and should be encouraged
using GPG right now and should not be required to attend a crypto-party
first.

So all in all looking forward to signing your and other keys soon :)
I don't know about timing and talks currently but i am happy
to discuss things more in depths on-site. Are you in Berlin
earlier than saturday?

greetings from a train to berlin,
looking forward to you all!
holger

> Additionally the point about "trust" raised below, is a common
> misconception. It's not "trust" as in "do I trust you to repay a loan of
> 5€ to me" - but do I trust that you are the holder of a piece of
> cryptographic keying material associated with a communications endpoint.
>


> For maximum efficiency, the keysigning will use a modified
> Zimmermann–Sassaman key-signing protocol:
>
> http://www.cryptnet.net/mirrors/docs/zimmermann-sassaman.txt
>
>
> Participants will enter their public key fingerprints into an online
> document
>
> For example, ( but we may decide to not use this particular pad on the
> day )
> https://pad.riseup.net/p/squatconf.eu-2016-keysigning
>
> After a certain time the document will be locked, and downloaded by
> participants.
> The sha256 of the document will be compared and checked
> amongst participants.
> They party facilitator will read out the fingerprints to the
> participants, who will confirm that they are correct.
>
> Participants will take their copy of the document and sign only those
> verified keys at a later date.
>
> In my experiences this has been a working and usable technique make
> signing work well. Yes its a bit of a chore, and no, it's not as fun as
> sitting and listening to someone explaining the latest cool programming
> framework, but it's a real practical activity that makes the world a better place.
>
>
> Regards,
>
> Kate
>
> On Tue, Apr 26, 2016 at 10:54:38AM +0200, Jérôme Loï wrote:
> > Hi there Kate,
> > yes cfp is closed, and schedule is actually quite packed yet.
> >
> > about key signing party, thanks for raising the question. from this moment i’ll talk on my behalf and not as an organiser.
> >
> > I believe that trust comes form human to human interaction in a longer scale than a 2 day event, hence key signing party does not allow me to build the trust i would require to endorse someone.
> >
> > I usually sign key of ppl i KNOW, not ppl i just met, so imo, this does not deserve “dedicated” time.
> >
> > Still now that the subject is on the table, I’m waiting for the discutions this mail will probably raise and stay open for argument that would switch my mind, or make most of the org to disagree with me.
> >
> > Regards
> > Jérome
> >
> >
> > > On 25 Apr 2016, at 23:58, Kate Dawson <k4t@???> wrote:
> > >
> > > I note that the CFP has closed.
> > > But there is not Keysigning party
> > >
> > > Is there opportunity to get such a thing still on the timetable ?
> > >
> > > Regards,
> > > Kate
> > > --
> > > "The introduction of a coordinate system to geometry is an act of violence"
> > > _______________________________________________
> > > Squatconf mailing list
> > > Squatconf@???
> > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/squatconf
> >
> > _______________________________________________
> > Squatconf mailing list
> > Squatconf@???
> > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/squatconf
>
> --
> "The introduction of a coordinate system to geometry is an act of violence"




> _______________________________________________
> Squatconf mailing list
> Squatconf@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/squatconf