[GTALUG] Hello and GnuPG/PGP key signing parties

Bob Jonkman bjonkman at sobac.com
Sun Mar 11 15:45:29 EDT 2018 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sergio wrote:

> and a government piece of identification (if you can bring two
> pieces, even better).

Let me post my usual diatribe against using third-party ID for
keysigning...

Signing a GnuPG/PGP key is an indication that the signer believes that
a particular key is controlled by the entity named on the key. It is
not your third-party acknowledgement that a person is allowed to drive
an automobile in Ontario, or is allowed to receive health care, or is
allowed to travel to foreign lands.

The GnuPG/PGP Web Of Trust is based individual knowledge of each
other. It was designed specifically to avoid a central authority
certifying a key or the identity associated with a key. Requiring
government ID to sign a GnuPG/PGP key puts identity certification back
into the hands of an authority. It's a proxy for your personal
knowledge of each other. If you require government ID, if you don't
believe that the key belongs to the identity named on that key, then
you shouldn't be signing that key.

You can establish rudimentary knowledge of each other by exchanging a
shared secret in two encrypted messages, which you then exchange again
in person at the keysigning. For example, I send you an encrypted and
signed message with "Yellow Beard", and you send me one with "Pink
Elephant". At the keysigning I ask "Yellow?" and you reply "Beard!",
then you ask "Pink?" and I reply "Elephant!"  This verifies we've
received each others' encrypted mail, and gives some assurance that we
each really own the GnuPG/PGP keys on that e-mail. It can be done the
other way as well -- exchange the shared secret in person first, then
verify with an encrypted and signed message later.

The best way to establish trust for another person is to know them.
But even if you've never met in person, if you've exchanged signed or
encrypted e-mail over the long term then you have some knowledge of
each other, and you can decide if your e-mail correspondent is really
the person you're meeting at the keysigning. This is why I sign every
e-mail message I write. Without  ever having met me or signing my key,
you can be sure that every message with my signature comes from the
same person, and you can judge from my writing and speaking style that
the person you meet is the same person who sent those messages on the
list. In fact, some people will sign a key based simply on long-term
e-mail correspondence without ever meeting that correspondent,
verifying that the signer believes that key belongs to the e-mail
address they know so well.

A key could also be held by an organization such as GTALUG, or it
could even represent an event such as a keysigning. There's no
government ID for that. Will you require to see the GTALUG articles of
incorporation for anyone using an @gtalug.org e-mail address?

I do  recommend that the keymaster for a keysigning event generates a
key specifically for that event. Signing such a key means the signer
believes that key is used to represent attendance at the keysigning,
and having a keysigning key's signature on your key means that you
attended that keysigning event. That's extra work for the keymaster,
but gives an added level to the Web of Trust.

I'm sorry that I won't be able to come to Toronto for a keysigning
anytime in the near future; maybe a keysigning could be a regular
feature every few months or so.

I've written about running keysigning parties:

http://bob.jonkman.ca/blogs/2011/10/14/how-to-hold-a-key-signing-party/

https://sobac.com/wiki/Formal_Keysigning

https://sobac.com/wiki/Informal_Keysigning

https://sobac.com/wiki/Guidelines_for_Key_Signing_Parties

- --Bob.


On 2018-03-10 03:53 PM, Sergio Durigan Junior via talk wrote:
> On Friday, March 09 2018, Rouben via talk wrote:
> 
>> I’m a newbie to this list. The name is Rouben Tchakhmakhtchian;
>> I’ve been a Linux user since about 1998 (dabbled with it a bit
>> before that). I’m currently working at UofT in IT, and am still a
>> die-hard open source enthusiast.
>> 
>> I was wondering, does the GTALUG community still organize GPG key
>> signing events? If not, I would also like to know how much
>> interest there would be in such an event.
> 
> Hi Rouben,
> 
> I sent an e-mail recently about doing a keysigning party at the
> next meeting, which will be on the 13th.  One more person
> manifested interest, and now you also said you would like to do it.
> That's great. I think we should look for each other during the next
> meeting (or maybe do an announcement after the meeting is over but
> before going to the pub?) and do the signings.
> 
> As has been said already, each person who is interested in getting
> their keys signed MUST bring paper slips containing information
> about their keys (on Debian GNU/*, you can install the
> "signing-party" package, which comes with the "gpg-key2ps" tool),
> and a government piece of identification (if you can bring two
> pieces, even better).
> 
> We can do the signing either in the classroom or in the pub,
> whatever is more convenient.
> 
> Cheers,
> 
> 
> 
> --- Talk Mailing List talk at gtalug.org 
> https://gtalug.org/mailman/listinfo/talk
> 

- -- 
Bob Jonkman <bjonkman at sobac.com>          Phone: +1-519-635-9413
SOBAC Microcomputer Services             http://sobac.com/sobac/
Software   ---   Office & Business Automation   ---   Consulting
GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Ensure confidentiality, authenticity, non-repudiability

iEYEARECAAYFAlqlh00ACgkQuRKJsNLM5eowTQCdG40A9N5kGZ6IQZLUq/hwPKWL
Z2gAn2ZKcxIHmcxS5XlbHwAGdr/jDypk
=QfCn
-----END PGP SIGNATURE-----

More information about the talk mailing list