[kwlug-disc] Last Call for the keysigning party
bjonkman at sobac.com
Tue Sep 14 01:12:13 EDT 2010
On 10-09-13 01:39 PM, Chris Frey wrote:
> Some ID would also be a good idea, for those who do not already know you.
No no no.
If people don't know you, then they shouldn't be signing your key. If
you don't know someone, then you shouldn't be signing their key.
Using ID of any sort is assigning trust by proxy to an "authority".
You're no longer vouching for a person based on your own knowledge, but
relying on the "authority" to provide that trust. If you're going to
rely on third-party authorities you might as well revert to a
hierarchical PKI and pay lots of money to a certificate authority to
assign levels of trust for you.
The point of the keysigning is to associate a key value with a real
person, with no opportunity for a Man in the Middle attack. It is
not to verify name, address and permission to drive in Ontario.
When I sign your key it is not because the government says that you're
allowed to drive under the name of Chris Frey, but I sign your key
because I believe that you're the same guy who drinks Jagermeister and
hacks on Blackberries and hangs out at the Syrup Festival. It is based
on my personal knowledge of you, and my trust in your claim that you own
the GPG key with fingerprint 75D458EE
The Web of Trust extends this, so that since I trust your identity and
judgment, I'm also likely to grant some level of trust to the people you
trust. After a successful keysigning party then I'm going to trust many
more people because they're all trusted by people I trust. And I'll be
trusted by more people, because they trust the people who have signed my
I'm going to have to put my key signature where my mouth is. Hopefully
we can have another key signing party at the next KWLUG meeting, for
which I will be more prepared.
 Yes, it is still possible to have a meatspace MitM attack if you're
signing keys for people you don't know and relying on ID. If you've
never met me before then it is possible that someone mugs me in the
parking lot, takes my ID and wears my goofy hat. If you don't know me
you would never be able to tell the difference, and you'd be signing a
key for the wrong person.
More information about the kwlug-disc_kwlug.org