[colug-432] key signing parties and the broader web of trust

[Richard Troth]

On Thu, Sep 1, 2011 at 08:11, Aaron Toponce <aaron.toponce at gmail.com> wrote:
> Thought I would join this list to announce the PGP Keysigning party that is
> happening at the Ohio Linux Fest.   ...

Welcome to the group, Aaron, and thanks again for organizing the key
signing BoF.

Everyone will have a different level of knowledge about the topic, so
here is the "back story" I mentioned in another note.  I hope it
helps.

Years ago, I was working in academia.  This was around the time Phil
Zimmerman was in court.  Somehow, I got introduced to PGP.  Cool!  I
don't recall how long it took for the implications of strong
encryption to sink it, but eventually they did, and I became rather a
fanatic.  Several of us created key pairs, signed each others keys,
and occasionally sent encrypted email.  (Even before WiFi, there were
snoopers sniffing and any kid with 'tcpdump' could track the traffic
on the university's wire.)

Over time, I used PGP less and less.  Security professionals will tell
you "it's a process", so having even the very best tools and
technology is of no use when your peers and colleagues are not using
them.  I left academia for the Dark Side, and spent less energy on
peer-to-peer security.  Ironically, in the corporate world we made
plenty of use of double-key cryptography.  Ever heard of SecurID?
(don't get me started)  But there were few using personal keys.

Later, when I was at Nationwide, we had the need to keep track of a
growing number of passwords.  One of the guys on the team thought it
would make sense to keep this in an encrypted file that we could
share.  (Important side note: not all use of GPG/PGP is for email.)
We were all using Linux where GPG was standard.  So everyone generated
a key pair and sent their public key to him.  He encrypted the file
with everyone's public key.  It worked.  That would have been enough,
but for me, using GPG brought back a flood of geeky memories from the
PGP days.  I suggested a key signing party.  It didn't "take".  No one
else on the team really saw the point.

My family cannot get me to shut up so easily.  At home, I managed to
talk the wife and kids into creating key pairs.  The plug-ins and
add-ons for various email clients and other utilities make PGP/GPG
keys really easy to manage.  You can sign any outgoing message.  It
does not matter if the recipient(s) of a signed message have GPG.  But
those who do can validate that you really sent it.  (Talk about
fighting spam ... if only.)  When you have someone's "public key", you
can encrypt messages you send to them.  (Most email clients will
automatically deal with multiple recipients.)  Only those with a
matching "secret key" can unlock a message thusly encrypted.  Rob
Stampfli and others have differentiated encryption -vs- signing.

The point of establishing a web of trust is that you want assurance
that the public keys you possess are valid.  This is deep magic.  You
don't want some rogue like me sending messages as if I were Maddog
Hall, would you?  But you cannot always get a public key in person.
So there is this wonderful feature of signing keys.  When a key
belonging to someone you don't (yet) know is signed by someone you do
know, you can accept the new guy's key.

There are three things that happen (relevant to this discussion) ...

        encrypt email (using the public key of the recipient(s))

        sign email (using your secret key)

        sign the public key of someone else using your secret key

This last one is what happens at a key signing party.

-- Rick;   <><