[kwlug-disc] Last Call for the keysigning party
cdfrey at foursquare.net
Tue Sep 14 01:30:17 EDT 2010
On Tue, Sep 14, 2010 at 01:12:13AM -0400, Bob Jonkman wrote:
> The point of the keysigning is to associate a key value with a real
> person, with no opportunity for a Man in the Middle attack. It is
> not to verify name, address and permission to drive in Ontario.
I know, and I agree (as my ooold archived posts to the list should attest),
but not everyone shares these views.
Yet there remains the problem of how to bootstrap the process. If you're
not allowed to sign a key until you know the person for a year, then it
starts to become a bit like getting a passport, and I don't think GPG
keys need to be that strict.
> because I believe that you're the same guy who drinks Jagermeister and
> I'm going to have to put my key signature where my mouth is. Hopefully
> we can have another key signing party at the next KWLUG meeting, for
> which I will be more prepared.
Everybody who signs has to put their signature where their mouth is.
But I think too much paranoia or criticism will prevent people from dipping
their toes into the GPG waters. And in my opinion, that would be worse
than having a bad signature slip into the web of trust and get discovered
If a key is signed even based on a driver's license, that is higher
validation than downloading his key randomly off the net. Every little
If a license is not enough ID for you, but you still want to sign the key
based on some good-faith efforts, you can set the cert level to your
satisfaction as well. This should not become another Facebook where you
have to sign my key at level 3 just because I signed yours that way. :-)
I think this keysigning went pretty well for a first time, and I want to
thank everyone who participated. There were a few bumps along the way,
and the process can be improved, but that's what version 2.0 is for. :-)
If anyone has suggestions to make the keysigning parties better, please
let me know.
More information about the kwlug-disc