[kwlug-disc] Last Call for the keysigning party

Bob Jonkman bjonkman at sobac.com
Tue Sep 14 01:12:13 EDT 2010


On 10-09-13 01:39 PM, Chris Frey wrote:

> Some ID would also be a good idea, for those who do not already know you.
>    

No no no.

If people don't know you, then they shouldn't be signing your key.  If 
you don't know someone, then you shouldn't be signing their key.

Using ID of any sort is assigning trust by proxy to an "authority".  
You're no longer vouching for a person based on your own knowledge, but 
relying on the "authority" to provide that trust.  If you're going to 
rely on third-party authorities you might as well revert to a 
hierarchical PKI and pay lots of money to a certificate authority to 
assign levels of trust for you.

The point of the keysigning is to associate a key value with a real 
person, with no opportunity for a Man in the Middle attack[1].  It is 
not to verify name, address and permission to drive in Ontario.

When I sign your key it is not because the government says that you're 
allowed to drive under the name of Chris Frey, but I sign your key 
because I believe that you're the same guy who drinks Jagermeister and 
hacks on Blackberries and hangs out at the Syrup Festival.  It is based 
on my personal knowledge of you, and my trust in your claim that you own 
the GPG key with fingerprint 75D458EE

The Web of Trust extends this, so that since I trust your identity and 
judgment, I'm also likely to grant some level of trust to the people you 
trust.  After a successful keysigning party then I'm going to trust many 
more people because they're all trusted by people I trust.  And I'll be 
trusted by more people, because they trust the people who have signed my 
key.

I'm going to have to put my key signature where my mouth is.  Hopefully 
we can have another key signing party at the next KWLUG meeting, for 
which I will be more prepared.


--Bob.

[1] Yes, it is still possible to have a meatspace MitM attack if you're 
signing keys for people you don't know and relying on ID.  If you've 
never met me before then it is possible that someone mugs me in the 
parking lot, takes my ID and wears my goofy hat.  If you don't know me 
you would never be able to tell the difference, and you'd be signing a 
key for the wrong person.






More information about the kwlug-disc mailing list