On Tue, Apr 26, 2016 at 02:06:33PM +0200, holger krekel wrote:
> Hi Kate,
>
> On Tue, Apr 26, 2016 at 12:13 +0100, Kate Dawson wrote:
>
> Also from what you describe below i am not sure i am up to date on
> current keysigning "party" practises. Last time i attended one
> people insisted on seeing an ID/passport for signing my key.
> is this still the case?
>
> This practise i consider kind of decentralized policing. For me it's
> enough to associate a physical someone with an email and public key.
> I don't care what kind of government numbers that person has.
>
No, there are various keysigning protocols. The one I propose
does not use Government assigned ID. All you do is say you control the
endpoint userid foo@??? and we take your word for it. Obviously
I could turn up and generate a key with uid for holger@??? ( I
just made this address up... ), but we presume that this is unlikely to
happen, and the mine and the real holger@??? communications are
unlikely to be subjected to targeted interception that would make this
kind of MiTM effective.
As a uid collects signatures it becomes harder for arbitrary imposters
to fake up keys and perform these attacks.
> And to be honest i most often use and advocate trust on first use (TOFU) --
> and then, if it becomes more important, verify by other channels, including
> personal meetups, cross-signatures. Staging MITM attacks on TOFU is
> possible but hard to do undetected on a mass scale.
>
> Advocating TOFU doesn't speak against furthering the Web-of-Trust. For
> me, it's not an either-or. But people can start and should be encouraged
> using GPG right now and should not be required to attend a crypto-party
> first.
I was not advocating against TOFU! If it's all we have we use it. But
the WoT extends and strengthens TOFU. Additionally there are some
systems that make use of OpenPGP to sign arbitrary
cryptographic endpoints, not just email. Then the WoT allows you to
create your own decentralized notary network similar to the one Moxie
proposed in Convergence.
For example
https://sks-keyservers.net/pks/lookup?op=vindex&search=0x62a2d8b5797c0b29
shows the keying material for various services ( https, imaps, pop3s,
smtp... ) being signed by the administrator of that service, allowing
for checking of the authenticity of service; without resorting to a
centralised certificate authority.
I'm not necessarily advocating the use of
https://monkeysphere.info
here; just pointing out that people have started to build applications
on top of the WoT.
>
> So all in all looking forward to signing your and other keys soon :)
> I don't know about timing and talks currently but i am happy
> to discuss things more in depths on-site. Are you in Berlin
> earlier than saturday?
I am in Berlin from tomorrow ( wednesday 27 april )around 21:00.
Best wishes,
Kate