[colug-432] PGP Signing Party
scott.mccarty at gmail.com
Tue Dec 21 09:55:58 EST 2010
Yeah, I don't think the drivers license analogy does it justice. It's more
like a credit card. Any ATM that trusts the STAR network, will trust a key
bank debit card. The circle of trust builds out from the people on the
inside. I heard Linus Torvolds give a speech on this some years back.
Trust has to be rooted. That, is the point of the signing party, to root it
in the group of people that you know are real and trust.
Also, if you private keys are stolen, even if they are encrypted with
password that is only known by you, it is advisable to revoke the keys.
Usually the second factor only buys you time once the keys have been
compromised. In fact, http://www.keylength.com has recommendation from NIST
(and others) on how long to trust a private public key pair for based on how
many bits of encryption.
On Tue, Dec 21, 2010 at 9:32 AM, William Yang <wyang at gcfn.net> wrote:
> On Tue, 2010-12-21 at 08:15 -0500, Steve VanSlyck wrote:
> > Well, can't they do that anyway? I mean that's been my difficultty with
> > certificates and PGP and so on all along.
> Any trust relationship requires trust somewhere along the chain.
> If I know you, and I verify that your PGP fingerprint is X, and I sign
> your PGP key... then anyone who knows me and has signed my key knows
> that I am asserting trust in the assertion that fingerprint X is yours.
> If my friend Rob signs my key, and Mike over there knows Rob and trusts
> Rob, and so forth, we can do the 7-degrees of Kevin Bacon in PGP keys
> game to come to a trustworthy source by establishing a chain of trusted
> relationships between your key and a recipient's. While you can
> certainly validate a 1:1 relationship (as I have with many of my
> professional associates, and which forms my immediate circle of trust in
> PGP), the real value is this "web of trust" that allows people to ride
> on a chain of trusted relationships of varying strength.
> Maybe a reasonable topic for a meeting would be a discussion of
> encryption principles -- openCA, x509 certs, PGP... it's not
> particularly hard to understand, though it's gets a little bogged down
> in terminology sometimes.
> The assertion that I am Steve VanSlyck is not true... and a chain of
> trusted relationships -- especially in a circle as small as central Ohio
> -- is likely to not be supported within the Columbus circle. In
> contrast, the assertion that I am William Yang of a given e-mail address
> is extremely likely to be supported.
> William Yang
> wyang at gcfn.net
> colug-432 mailing list
> colug-432 at colug.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the colug-432