[Nottingham] [any debian developer in notts area?]

Andy Smith andy at strugglers.net
Tue Apr 24 11:28:48 UTC 2012 

Hi,

On Tue, Apr 24, 2012 at 09:24:30AM +0100, david at gbenet.com wrote:
> On 24/04/12 08:51, Jason Irwin wrote:
> > Martin!  Looks like we found an expert!

:/ Not really, gpg sometimes still confuses me, but I have been
using it since 1998ish..

> > Andy - would you be able to give the talk and help muppets like me?

I'm afraid not - I don't live in Nottingham. I've been subscribed
here for a long time though, just rarely find anything I know about
to comment on! :)

> then you go back to your computer - sign that key and then upload
> it to a keyserver

A slight nit-pick here: it is best to email the signed key back to
its owner (the email address on the key), encrypted, rather than
upload it to a key server on their behalf.

Reasons why:

- Some people prefer not to have their keys on public key servers

- Once you upload a key to a public key server you can't ever take
  that back. There is no way to remove keys from keyservers, and
  they distribute them to each other, so this key eventually gets
  everywhere.

- It provides an extra bit of security because only the true owner
  of that key could decrypt it to see that you have signed it.

  It is a bit contrived but, my name is obviously very common: I can
  find many public keys out there on key servers that belong to
  "Andrew Smith". I can then turn up with that public key at a key
  signing event and show my real passport that says I am Andrew
  Smith.

  For everyone who uploads the signed key, I just got them to sign
  this random key to say they met this Andrew Smith guy. They did -
  but not the Andrew Smith they thought they were meeting! The web
  of trust has now been disrupted¹.

  If instead they mailed the signed key back to Andrew Smith using
  the email address on the key itself, the "real" Andrew Smith would
  start getting these emails with his signed key, from people he
  never met, and realise there has been some error. My subterfuge
  has been discovered and you all know you met an imposter.

- It's another safeguard against mistakes being made.

  For example, over the last 10+ years I've sometimes seen
  conferences or events I wanted to go to, and noted that they have
  a PGP signing event. I've sent them my public key so they can put
  it on their keyring to distribute to the attendees to make the
  event run smoother.

  It's then happened that I couldn't attend after all. Yet, after
  the conference is over with, copies of my key start popping up on
  key servers signed by new people. Confused people who have never
  met me have signed my key just because it was on the event's
  keyring. :( Worse, since they've now uploaded that key to public
  key servers, I have no way to get rid of the signatures.

This starts to sound like a massive hassle doesn't it? There is some
software that makes it a lot easier: caff. It's part of the package
"signing-party" on Debian and Ubuntu. Basically you just run it with
a list of key IDs and it signs them all then sends the encrypted
emails for you.

Anyway, dragging this back to what the OP wanted.. Debian do a lot
of keysigning and caff was developed by them to make this easier, so
if planning to meet up with a bunch of DDs (or after Debconf or
whatever) you might want to look into caff anyway.

phew!

Cheers,
Andy

¹ Due to human nature, mistakes are of course being made all the time
  so that is why multiple signatures are good.

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20120424/8ba79350/attachment-0001.pgp>

More information about the Nottingham mailing list