subject:"RE\: How to get your first key signed"

Re: How to get your first key signed

2015-10-12 Thread David Niklas

Sorry to disappear and thanks for your answers!
As for why you can't find my key. I thought that if you upload to one
server it will spread it to them all.
My key is at biglumber.com , I'll copy it, but I'm out of time now.

Thanks again, David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-12 Thread Antony Prince

On 10/12/2015 5:32 PM, David Niklas wrote:
...
> As for why you can't find my key. I thought that if you upload to one
> server it will spread it to them all.
...

This is true in the case of servers in the sks pool[1], but not true of
all keyservers. Some keyservers are privately operated and do not share
keys to other keyservers. The largest pool of public keyservers that I
know of is the SKS pool, but there may be others that I'm unaware of.

[1]https://sks-keyservers.net/

-- 

Antony Prince

Key ID: 0xAF3D4087301B1B19
Fingerprint: 591F F17F 7A4A A8D0 F659  C482 AF3D 4087 301B 1B19
URL:
http://pool.sks-keyservers.net/pks/lookup?op=get=0xAF3D4087301B1B19

signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-04 Thread MFPA

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Saturday 3 October 2015 at 1:04:55 PM, in

Re: How to get your first key signed

2015-10-04 Thread MFPA

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Saturday 3 October 2015 at 11:53:26 PM, in
, Robert J. Hansen wrote:



> If I commit a crime and it gets traced back to the
> certificate we shared, then the authorities would have
> to figure out which of us was using the certificate.

This may not be the case if the crime took place in a jurisdiction
that applies the doctrine of joint enterprise [0].

[0] 


- --
Best regards

MFPA  

When it comes to humility, I'm the greatest.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJWEQvdXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwUmEIAJ7b+NQING9gMXCn8+5uQ3Pj
h2AkRmuq1I3nLsNV3UQLR3GqWHlHbSLa/KInql+YIEE0wvDvVDweVDqnU0q2d1du
l8+w3ZlMQH7M4bwD0Bk69fbN1WnKxjk/gmcjoItPncWm0vcyu57Q33v9Kv3YmSU8
K6beCjMqb9WfPFsicfBHWqAAHj6awDosnkN89+gZ49rBayhCIyUZ4eTohd+Tn+44
d96oWjLR3sqzWG7rqpsWbgj+V/TIsamTlgt9/ofdlyM2mx2TEvOGwYTN9aVbvRbx
XxVG38UMCy1x8tmL9iAfmdLcD1nwISGbkKwaWHy7cgnf+ThxSKP4q3Gwyi8rgaaI
vgQBFgoAZgUCVhEL3l8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45D6pAP9vwqisKLKTQMpR67jh0yWMGo+2
ihmuUsoDqoYAqtb75wD8CEaD9Y79YW5BRODr7pjIRxLV4xsUI/S/eRJC0tWs0wo=
=4FKZ
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-04 Thread joe . asmodeus

"Robert J. Hansen"  wrote:
> The idea that OpenPGP signatures are non-repudiable is a fashionable bit
> of nonsense: I am aware of no court, anywhere in the world, which has
> recognized OpenPGP signatures as being non-repudiable.
>

Are you aware of a court, anywhere in the world, which has considered the
issue?


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-04 Thread Antony Prince

On 10/02/2015 06:55 PM, Faramir wrote:
> ...
>   Well, you don't really need your key signed for that... at least,
> not the key with your name on it. You can make a key using the name
> "mysoftwarename distribution key", and use it to sign the files. Once
> people start using the software, they may sign the key. They don't
> know who is behind the key, but they will know it is the same key that
> has been using since day 1.
> 

I agree with this sentiment. I have locally signed Niibe's and Werner's
distribution keys, meaning the signatures are not exportable. I have not
verified their identities, but the fingerprints match those on their
website and listed in the announcement e-mails about the software. I
would not be able to definitively say that those keys belong to a person
named Werner Koch or Niibe Yutaka, but they do belong to the people
claiming to have those names and consistently releasing software under
those names. Since the keys do not change with every release, it is
reasonable to assert that it is the same people/person every time. Point
is, you don't need to have your identity verified for people to trust
your key. All my keys are self-signed. I revoked the original key I
created and created this one. I signed this key with the old one before
revoking it. Therefore, you could roughly assume that I am the person
who controlled the secret material to the previous key with this UID,
since this key is signed by that one as well. My name may or may not
really be "Antony Prince", but the keys created with that UID are
chained together by their signatures. I could go even further and make a
short web page listing the previous and current fingerprints and why I
revoked the previous key (called a "transition statement", IIRC) and
even sign that message. I have not done this because my identity as far
as my gpg key goes is not under that much scrutiny or of that much
importance to anyone that I'd need to go to those lengths.

-- 

Antony Prince

Key ID: 0xAF3D4087301B1B19
Fingerprint: 591F F17F 7A4A A8D0 F659  C482 AF3D 4087 301B 1B19
URL:
http://keyserver.blazrsoft.com/pks/lookup?op=get=0xAF3D4087301B1B19

signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-04 Thread Robert J. Hansen

> Are you aware of a court, anywhere in the world, which has considered the
> issue?

Yes, many!  Digital signatures are enforceable in U.S. courts.

Non-repudiability, though, as far as I know has never been successfully
argued.  More to the point, I don't think it could be.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-04 Thread joe . asmodeus

"Robert J. Hansen"  wrote:
> Yes, many!  Digital signatures are enforceable in U.S. courts.
>
> Non-repudiability, though, as far as I know has never been successfully
> argued.  More to the point, I don't think it could be.

I assume that enforcebility is determined using the standards applied to
pen-and-ink signatures. Lack of legal capacity, forgery or duress, to name
a few, would permit repudiation.  The party seeking to enforce a contract
signed digitally should bear the burden of establishing a signature's
validity.  Therefore, I agree that a blanket holding that all digital
signatures are non-repudiable is unlikely.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unsubscription Request (was: Re: How to get your first key signed)

2015-10-04 Thread Richard Höchenberger

Hello Peter,

On Sun, Oct 4, 2015 at 9:55 PM, Peter Lebbing 
wrote:

> I personally
> find this statement disrespectful to the people who tried to help miss
> Lynn,
> when she is not very approachable and offers no more explanation as to
> why she can't just unsubscribe than the following
>

you certainly got a point there. My apologies to anyone who may have felt
insulted. Nevertheless, it can be extremely hard for a not-so-tech-savvy
person to provide a good description of the exact problems they are
encountering. A possible explanation for her weak responsiveness could be
that she was simply overwhelmed by the amount of (undesired) email flooding
her inbox. Who knows. And while I usually always prefer helping people to
help themselves (as you and others did), this approach was undoubtedly
unfruitful here over the course of several weeks. Remote support can be a
very tricky and time-consuming endeavor :) At any rate, thanks to all who
were trying to help. Still, I'm hoping some moderator or admin could simply
remove her address from the list.

Richard
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Unsubscription Request (was: Re: How to get your first key signed)

2015-10-04 Thread Richard Höchenberger

Hello everyone,

On Sat, Oct 3, 2015 at 8:23 PM, Crissy Lynn 
wrote:

> Please! For the 600th time! REMOVE ME FROM THIS MAILING LIST!


so for whatever reason, this user is obviously unable to successfully
unsubscribe from this mailing list. Will not any of the list
admins/moderators have mercy and remove her email address from the list? I
find the repeated explanations of how to unsubscribe extremely unhelpful,
bordering to disrespect, since it does not provide the kind of help this
users needs. You told her "601 times", she somehow failed equally often, is
unable to comply, so please HELP her already and remove that email address!

Richard
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unsubscription Request (was: Re: How to get your first key signed)

2015-10-04 Thread Peter Lebbing

On 04/10/15 20:05, Richard Höchenberger wrote:
> I find the repeated explanations of how to unsubscribe extremely unhelpful,
> bordering to disrespect, since it does not provide the kind of help this
> users needs.

Even though I might share your sentiment on the rest of your mail, I personally
find this statement disrespectful to the people who tried to help miss Lynn,
when she is not very approachable and offers no more explanation as to
why she can't just unsubscribe than the following:

On 31/08/15 21:08, Crissy Lynn wrote:
> I have tried any and everything the be taken OFF of this random mailing 
> list!!! I've 'Unsubscribed' 10 times.

And yes, I was one of those people trying to help, but I would have found it
equally disrespectful if I hadn't been one of the people at least trying.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unsubscription Request (was: Re: How to get your first key signed)

2015-10-04 Thread Brad Rogers

On Sun, 04 Oct 2015 21:55:49 +0200
Peter Lebbing  wrote:

Hello Peter,

>equally disrespectful if I hadn't been one of the people at least
>trying.

Whilst it's laudable that people try and help her, I doubt she's even
_reading_ stuff from the list any more.  *Seeing* it, yes (obviously). 
As such, I suspect any offers of help, or requests for information that
would lead to her being unsubscribed successfully are going unnoticed.

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
You said you ain't had none for weeks, but baby I seen your arms
Deny - The Clash

pgpI4h5e5TbTg.pgp
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-03 Thread MFPA

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Friday 2 October 2015 at 5:51:52 AM, in
,
Guan Xin wrote:



> So you three will share the same reputation on the
> mailing list.

No, their reputations and posting histories did not become merged.



> If at least one of you commit crimes with
> your signed messages, you will share the same legal
> liability unless proved not guilty by other means,

What happened to being innocent until proven guilty?



- --
Best regards

MFPA  

Did you hear? They took the word gullible out of the dictionary
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJWD70rXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwey4H/3nCzzj/c6vI8zVUGhnI9wKf
DnW6IaEglDvHQbqXFW/swQKqhL6FqfnQ+/ulC/qQLG5LRiIU6XYgJsYe1IUr1seY
Aq8O9Wfj5uI5ijlReZ4uQyLAmGrsMr2cshpnbeR8K8Nf1pcVrAvJLNDcbCmx5mYY
5XLXrU2rV/YpSP5d1oFVPvH9Q/UupVKZGjSduOfnixS+TvKSCefGLvAToAhFfGkp
YrgBKaEO6Jo7npouNicPEY7WQbsP6EAa328timRJVJtmQN0eI31W3r0LL7UljgUA
z1mJF7VH17xj4QV2VO8chcmsl0W1pRfj6Kh5goWNyNYWinjVJ1lnFXqi57yyY7GI
vgQBFgoAZgUCVg+9M18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45O/6AP9BbhVFPcI7VdsEvM/Gej7fs6lw
AqDOqqlm84OzEinB+AEAj0Rm1XJGoIjfgyeIwZ/Jj8fwAnZ7WLomZsEnVFvBmw8=
=YrR0
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-03 Thread Guan Xin

On Sat, Oct 3, 2015 at 1:33 PM, MFPA
<2014-667rhzu3dc-lists-gro...@riseup.net> wrote:
>
>> So you three will share the same reputation on the
>> mailing list.
>
> No, their reputations and posting histories did not become merged.

The word "will" does not infer history. You know by reputation
I meant personal reputation, not the arabic numbers
or green boxes shown on the webpage, don't you?

>> If at least one of you commit crimes with
>> your signed messages, you will share the same legal
>> liability unless proved not guilty by other means,
>
> What happened to being innocent until proven guilty?

What happened to being guilty once proven guilty until
proven innocent?
Your key is the proof. If you all believe digital signature
can't prove anything, why do you use it at all?

Guan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-03 Thread Robert J. Hansen

> IF YOU THINK DIGITAL SIGNATURES ARE NOTHING
> THEN PLEASE KEEP AWAY FROM THIS MAILING LIST.

A digital signature means surprisingly little.  These are the conditions
that must be met for a signature to be meaningful: it must be correct,
issued from a validated[*] certificate, and belong to a trusted person.

If you've got all those, then yes, a digital signature can be very
meaningful.  If you don't, they mean very little.

Maybe I should add this to the FAQ, along with an explanation of why.


[*] Insert word-of-choice here.  Trusted, validated, whatever.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-03 Thread Guan Xin

On Sat, Oct 3, 2015 at 7:40 PM, Peter Lebbing  wrote:
> On 03/10/15 14:04, Guan Xin wrote:
>> What happened to being guilty once proven guilty until
>> proven innocent?
>> Your key is the proof.
>
> Please stop trolling.
>
> Peter.

YOU who insist that digital signatures are no proof
and worth nothing please STOP TROLLING.

IF YOU THINK DIGITAL SIGNATURES ARE NOTHING
THEN PLEASE KEEP AWAY FROM THIS MAILING LIST.

Guan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-03 Thread Guan Xin

On Sat, Oct 3, 2015 at 7:40 PM, Peter Lebbing  wrote:
> On 03/10/15 14:04, Guan Xin wrote:
>> What happened to being guilty once proven guilty until
>> proven innocent?
>> Your key is the proof.
>
> Please stop trolling.
>
> Peter.

"Please don't feed the troll" is an acceptable wording when said to me.

"Please stop trolling" is the the word for you.

Guan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-03 Thread Crissy Lynn

Please! For the 600th time! REMOVE ME FROM THIS MAILING LIST! 



> On Oct 3, 2015, at 1:44 PM, Guan Xin  wrote:
> 
>> On Sat, Oct 3, 2015 at 7:40 PM, Peter Lebbing  
>> wrote:
>>> On 03/10/15 14:04, Guan Xin wrote:
>>> What happened to being guilty once proven guilty until
>>> proven innocent?
>>> Your key is the proof.
>> 
>> Please stop trolling.
>> 
>> Peter.
> 
> YOU who insist that digital signatures are no proof
> and worth nothing please STOP TROLLING.
> 
> IF YOU THINK DIGITAL SIGNATURES ARE NOTHING
> THEN PLEASE KEEP AWAY FROM THIS MAILING LIST.
> 
> Guan
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-03 Thread Guan Xin

On Sat, Oct 3, 2015 at 8:19 PM, Robert J. Hansen  wrote:
>> IF YOU THINK DIGITAL SIGNATURES ARE NOTHING
>> THEN PLEASE KEEP AWAY FROM THIS MAILING LIST.
>
> A digital signature means surprisingly little.

It's a kind of weak proof in China, and is much more than nothing.

I have absolutely no idea of the situation in the Netherlands. Peter knows.

In the U.S., obviously, no proof is needed to convict someone.
I've been *assumed* spying already after another Chinese citizen whom
I never heard of was *only* suspected, only because we worked for
the same department.
Neither digital nor non-digital signatures change racism. So this is irrelevant.

Guan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-03 Thread Peter Lebbing

On 03/10/15 14:04, Guan Xin wrote:
> What happened to being guilty once proven guilty until
> proven innocent?
> Your key is the proof.

Please stop trolling.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-03 Thread Juan Miguel Navarro Martínez

On 2015-10-03 at 20:23, Crissy Lynn wrote:
> Please! For the 600th time! REMOVE ME FROM THIS MAILING LIST!
>

If you knew how to subscribe, you should know how to unsubscribe, because:

1) If you told on this mailing list to be unsubscribed for the 600th
time, then someone told you how to unsubscribe for at least a 300th time.
2) If you are subscribed here, then you used a method to subscribe
yourself be it a) via website or b) via e-mail. And to unsusbcribe,
obviously, you use either of those methods as well.

For method a): Just go to the website[1] again (the URL is on everyone's
email tail). Then on the bottom, fill the form (one text box with the
sentence "Unsubscribe or Edit"), and click the "Unsusbcribe" button.

For method b): Just send an email to 
with "unsubscribe" as the subject or body[2].

No matter which method you used, just follow the instructions after that.

If you are not getting unsubscribed then either a) you didn't do all
steps, b) you did something wrong in any of the steps or c) you are
subscribed with another email.

[1]: 
[2]: 

-- 
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: How to get your first key signed

2015-10-03 Thread Jerry

> Please! For the 600th time! REMOVE ME FROM THIS MAILING LIST!

Please for the 601st time, follow the directions you have been give before:

List-Unsubscribe: ,
 

And while you are at it, STOP hijacking threads.

-- 
Jerry


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-03 Thread Robert J. Hansen

> Please! For the 600th time! REMOVE ME FROM THIS MAILING LIST! 

You have been told how to unsubscribe.  Perhaps try following those
instructions?

To recap: visit this URL.

http://lists.gnupg.org/mailman/listinfo/gnupg-users

At the bottom you'll see text of, "To unsubscribe from Gnupg-users, get
a password reminder, or change your subscription options enter your
subscription email address:".  Enter your email address there and click
"Unsubscribe or edit options".

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-03 Thread Robert J. Hansen

> So you three will share the same reputation on the mailing list.

Probably not.  But if so, I'm fine with that: John and John are good
people.  And the point we were making -- which was that people invest
way too much trust into unvalidated keys and/or possibly untrustworthy
people -- was important and worth making.

> If at least one of you commit crimes with your signed messages,
> you will share the same legal liability...

If I commit a crime and it gets traced back to the certificate we
shared, then the authorities would have to figure out which of us was
using the certificate.

The idea that OpenPGP signatures are non-repudiable is a fashionable bit
of nonsense: I am aware of no court, anywhere in the world, which has
recognized OpenPGP signatures as being non-repudiable.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-02 Thread Guan Xin

On Fri, Oct 2, 2015 at 7:01 AM, Anthony Papillion
 wrote:
>
> Sorry to just jump in here but I've been following the conversation
> and this caught my eye. While checking the email address associated
> with a key might not /always/ be useful (like in the case of IM, fax,
> etc), it /can/ help provide 'evidence' that a key might have been
> compromised. If I receive an email from an email address that is
> different from that on the key, the very first thing I would do is
> email the key holder at their known address and ask what's up. It
> could very well be a case where the key has been compromised but the
> email address hasn't and the key holder doesn't know.

While the key is used to certify the email / IM name / website, etc.
and not the other way round, it is certainly helpful to check both.
So you are right.
However, note that an email inbox can be hijacked as well as a regular mailbox.

... After some thoughts, I found that for all the contact methods
(various email addresses, IMs, websites) where I use my key, I had
identified myself
by person to my frequent contacts before.
So the signatures really mean that "this email / IM account has not
been compromised",
and not that "this key is probably compromised".

Guan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-02 Thread Faramir

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

El 01-10-2015 a las 5:33, Bob Henson escribió:
...
> Authority key, say. But a signature of any person's key that you
> have not met and positively verified is worse than useless as it
> degrades the whole trust process. Someone who I had never
> previously even heard of once signed my old, now revoked key - were
> that person someone "known" to be nasty, it would have degraded my
> key's value. The best it could have been is totally meaningless.

  I think it is a mistake to consider a signature can degrade a key's
value. After all, we CAN'T prevent people from signing our keys,
unless we try to keep them off the keyservers. But keys tend to end in
keyservers (probably they feel lonely and want to gather with their
peers). And bogus signatures from bogus keys don't weaken the WoT,
since a bogus key is not signed, so the signatures are meaningless. Of
course these signatures increase the public key size, but you can
distribute a clean copy of your key to your peers.

  Best Regards

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJWDw7uAAoJEMV4f6PvczxA39cIAKXhYP5iN+LFP3Fhj+n+b55S
4KXY6D0P0JV4DZYa6kN4duAn9jigM87xOrL4NiCbK+42wg4FkgZioIDxLJzV2C1L
8LQGxNWPfSgO0kbGQKyzsMkcsnc3HMLyiE5MnRH3jiq5arb+gQfO57YaMNRl6JdS
ENpVM7GtxMoloFHZ9dJdhhv8IEqxHnoW3WkvbRZMfgiedj7YKcLDqADgqJ94fzMc
HF280jXWKLbZHZhbp2XdopknzEGZqc02EZ4RBeAHse/jYPShyUfX3mJ/37jriVon
sbZpzLHzxbMlzGVT8+zBzB34ei8ftb0dYaxk5FM7P4MNwycf5y5qaLDiGpT3PFI=
=nKXX
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-02 Thread Faramir

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

El 01-10-2015 a las 8:08, Bob Henson escribió:
...
>> It /is/ totally meaningless. And we should educate users that it
>> is meaningless.
> 
> Agreed. But a new user who has yet to be educated would baulk at 
> trusting a key signed by Genghis Khan or Atilla the Hun - however
> they perceived it, they might well refuse to acknowledge the
> signature as valid and would certainly not sign it or assign it
> user trust - that's human nature. Human beings are essentially
> illogical. :-)

  Indeed. But at first sight, the signature would come from "unknown
key", not from Atilla the Hun ;)

  Best Regards

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJWDw/VAAoJEMV4f6PvczxA4gIH/0qXi/VlMYUZ4EynPKpqRN6M
mOJchGkbd6hgrCrWhoFXHJpfoosmrWfn6s6Jpazv1B0h/uXV3w8wTzv5o+Rnrvez
h/jP3tJHN4hI0AdeD/ghumZP2/TM5M3D39Juxg++btFOMZGowXXISaJK0o76yoXw
MtXTywhyVpXma/3tyt2KGaFUf73Q2M8VzUPQpZkDOvN36tJl8bK3Jdid3D1gktwm
nshRe2RUgtuGxECoEegTJraCdbOqi4QyoL0Pqxl4tvUUuB++mR0p9uxMrbQ1wPEU
aAAMjfEBr7UQ0sRhjNcERNG7uNK1XJHeX9AXio+AADz71ikytu1P5018M680cII=
=KEvr
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-01 Thread Bob Henson

On 30/09/2015 8:58 pm, Robert J. Hansen wrote:
>> I create for myself a gpg key and want to get it signed
> 
> More important than whether your certificate gets signed is who signs
> the certificate, who they are connected to, and so on.
> 
> Some people will sign almost anything.  People who get a reputation for
> signing anything develop a reputation for their signatures being
> meaningless.  Some people have very strong requirements before they'll
> sign.  Their signatures are often worth quite a lot of credibility, but
> good luck getting them.
> 
> The good news is this *can be done*.  I promise.
> 
> The best thing you can do right now is to get involved in the community.
>  Get engaged in the mailing lists (here, PGP-Basics, Enigmail-Users are
> three good ones).  And when you post, sign your messages.  Over time
> people will come to trust that your signature connects to the real you,
> even if they can't promise that your name really is David Niklas, or
> can't say what you look like.
> 

Whilst that is partially useful, surely it only vouches for the fact
that the postings came from the same person and not who that person is -
and as such is of very limited use. I have a "newsgroup" key for that
purpose - but it is a tad pointless. I think I know the person who calls
himself Robert J. Hansen and you have certainly corresponded with
someone called Robert H. Henson, but we have no idea who those people
are unless we meet. Keys should only ever be signed in person and if the
person is not well known to you by sight, with some form of irrefutable
photo evidence being presented along with the key signature - a
passport, or something carrying equal weight.

There might be a possible exception where there is no individual person
to meet - the verification signature with software, say. When you have
downloaded the software from the same, known website for some time it
might be reasonable to sign the verification key - if a tad pointless if
it is only really a checksum. Perhaps the same applies to a Certificate
Authority key, say. But a signature of any person's key that you have
not met and positively verified is worse than useless as it degrades the
whole trust process. Someone who I had never previously even heard of
once signed my old, now revoked key - were that person someone "known"
to be nasty, it would have degraded my key's value. The best it could
have been is totally meaningless.

Regards,

Bob

signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-01 Thread Peter Lebbing

On 01/10/15 10:33, Bob Henson wrote:
> There might be a possible exception where there is no individual
> person to meet - the verification signature with software, say. When
> you have downloaded the software from the same, known website for
> some time it might be reasonable to sign the verification key - if a
> tad pointless if it is only really a checksum.

Well, it doesn't help me at all to know that the developer of said
software indeed has "David Niklas" on his passport. That gives me no
more confidence in the integrity of the software than if he had a
different name. All I need to know is that that piece of software that I
previously trusted has had an update written by the guy or girl I trust,
regardless of his or her name.[1]

I don't understand "it's only really a checksum". The key property is
that it's signed by the same developer each and every time. A checksum
has very different properties, but I might simply misunderstand you.

> Someone who I had never previously even heard of once signed my old,
> now revoked key - were that person someone "known" to be nasty, it
> would have degraded my key's value.

No, it should not degrade the key's value. Unfortunately the key's value
is in the eye of the beholder, and that eye is often not fully aware of
the lack of implications an untrusted signature has. An untrusted
signature has precisely one implication: useless baggage. It neither
increases nor decreases the value of the key it has signed.

One of the people who's key I've signed at a keysigning party gained a
signature by Adolph Hitler. Enter Godwin's Law. Anyway, he revoked the
key. I can understand that. It just looks bad when someone uses the web
interface of a keyserver to look up his key. But it doesn't degrade his
key in any way other than what is a misperception. Only trusted keys
matter. Untrusted keys can be wholly ignored. Even if they are from the
Führer.

> The best it could have been is totally meaningless.

It /is/ totally meaningless. And we should educate users that it is
meaningless.

HTH,

Peter.

[1] If some really persistent threat was Man In The Middle all the time
I downloaded the software and the key, they could replace the key all
that time by their own. Then at some point, when I trust the wrong key,
they could still do something nasty with the software. But this is a
much higher bar than once MITM'ing and inserting nastiness.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-01 Thread Andrew Gallagher

On 01/10/15 11:35, Peter Lebbing wrote:
> 
> Well, it doesn't help me at all to know that the developer of said
> software indeed has "David Niklas" on his passport. That gives me no
> more confidence in the integrity of the software than if he had a
> different name. All I need to know is that that piece of software that I
> previously trusted has had an update written by the guy or girl I trust,
> regardless of his or her name.[1]

Yes, trust in the intent, or competency, of a particular person is
completely different to verification of the identity of that person
(which is why I think PGP's use of the word "trust" in this context is
dangerously misleading).

> [1] If some really persistent threat was Man In The Middle all the time
> I downloaded the software and the key, they could replace the key all
> that time by their own. Then at some point, when I trust the wrong key,
> they could still do something nasty with the software. But this is a
> much higher bar than once MITM'ing and inserting nastiness.

And if you want to create a localsig on that basis, fire away. But
publicly certifying someone else's key is a statement of identity
verification, not trust.

A



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-01 Thread Bob Henson

On 01/10/2015 11:35 am, Peter Lebbing wrote:
> On 01/10/15 10:33, Bob Henson wrote:
>> There might be a possible exception where there is no individual
>> person to meet - the verification signature with software, say. When
>> you have downloaded the software from the same, known website for
>> some time it might be reasonable to sign the verification key - if a
>> tad pointless if it is only really a checksum.
> 
> Well, it doesn't help me at all to know that the developer of said
> software indeed has "David Niklas" on his passport. That gives me no
> more confidence in the integrity of the software than if he had a
> different name. All I need to know is that that piece of software that I
> previously trusted has had an update written by the guy or girl I trust,
> regardless of his or her name.[1]

That's what I was implying when I described it as a possible exception.


> I don't understand "it's only really a checksum". The key property is
> that it's signed by the same developer each and every time. A checksum
> has very different properties, but I might simply misunderstand you.

If the program has been altered the signature will fail, will it not?

> 
>> Someone who I had never previously even heard of once signed my old,
>> now revoked key - were that person someone "known" to be nasty, it
>> would have degraded my key's value.
> 
> No, it should not degrade the key's value. Unfortunately the key's value
> is in the eye of the beholder, and that eye is often not fully aware of
> the lack of implications an untrusted signature has. An untrusted
> signature has precisely one implication: useless baggage. It neither
> increases nor decreases the value of the key it has signed.
> 
> One of the people who's key I've signed at a keysigning party gained a
> signature by Adolph Hitler. Enter Godwin's Law. Anyway, he revoked the
> key. I can understand that. It just looks bad when someone uses the web
> interface of a keyserver to look up his key. But it doesn't degrade his
> key in any way other than what is a misperception. Only trusted keys
> matter. Untrusted keys can be wholly ignored. Even if they are from the
> Führer.
> 
>> The best it could have been is totally meaningless.
> 
> It /is/ totally meaningless. And we should educate users that it is
> meaningless.

Agreed. But a new user who has yet to be educated would baulk at
trusting a key signed by Genghis Khan or Atilla the Hun - however they
perceived it, they might well refuse to acknowledge the signature as
valid and would certainly not sign it or assign it user trust - that's
human nature. Human beings are essentially illogical. :-)


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-01 Thread Mark H. Wood

On Thu, Oct 01, 2015 at 09:33:59AM +0100, Bob Henson wrote:
> On 30/09/2015 8:58 pm, Robert J. Hansen wrote:
> >> I create for myself a gpg key and want to get it signed
> > 
> > More important than whether your certificate gets signed is who signs
> > the certificate, who they are connected to, and so on.
> > 
> > Some people will sign almost anything.  People who get a reputation for
> > signing anything develop a reputation for their signatures being
> > meaningless.  Some people have very strong requirements before they'll
> > sign.  Their signatures are often worth quite a lot of credibility, but
> > good luck getting them.
> > 
> > The good news is this *can be done*.  I promise.
> > 
> > The best thing you can do right now is to get involved in the community.
> >  Get engaged in the mailing lists (here, PGP-Basics, Enigmail-Users are
> > three good ones).  And when you post, sign your messages.  Over time
> > people will come to trust that your signature connects to the real you,
> > even if they can't promise that your name really is David Niklas, or
> > can't say what you look like.
> > 
> 
> Whilst that is partially useful, surely it only vouches for the fact
> that the postings came from the same person and not who that person is -
> and as such is of very limited use. I have a "newsgroup" key for that
> purpose - but it is a tad pointless. I think I know the person who calls
> himself Robert J. Hansen and you have certainly corresponded with
> someone called Robert H. Henson, but we have no idea who those people
> are unless we meet. Keys should only ever be signed in person and if the
> person is not well known to you by sight, with some form of irrefutable
> photo evidence being presented along with the key signature - a
> passport, or something carrying equal weight.

There are two issues here.  One is what the O.P. asked:  how to get
useful signatures which bind a key to a specific physical-world
person.  Face-to-face meetings, photo ID, etc. are all part of that.

But the other is binding a key to a reputation.  And that can be done
at arms' length, simply by doing stuff in public and signing the stuff
with your perhaps-unsigned key.  If I've examined, tested, and used
stuff bound to key X, and learned to trust it, then when I meet some
other stuff bound to key X it is not unreasonable to trust it more
readily since, by means of key X, it is bound to stuff that I already
trust.

> There might be a possible exception where there is no individual person
> to meet - the verification signature with software, say. When you have
> downloaded the software from the same, known website for some time it
> might be reasonable to sign the verification key - if a tad pointless if
> it is only really a checksum. Perhaps the same applies to a Certificate
> Authority key, say. But a signature of any person's key that you have
> not met and positively verified is worse than useless as it degrades the
> whole trust process. Someone who I had never previously even heard of
> once signed my old, now revoked key - were that person someone "known"
> to be nasty, it would have degraded my key's value. The best it could
> have been is totally meaningless.

To put my point more plainly:  signatures on products and signatures
on keys mean different things, and to gain trust for them works in
different ways.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-01 Thread Andrew Gallagher

On 01/10/15 15:18, Mark H. Wood wrote:
> 
> To put my point more plainly:  signatures on products and signatures
> on keys mean different things, and to gain trust for them works in
> different ways.

Another case where common PGP terminology is confusing. You don't really
"sign a key", you certify that a particular identity should be bound to
a key. This process uses the same algorithm as a signature, but the
semantics are different - as evidenced by the fact that [C]ertify and
[S]ign are distinct usages.

A

signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-01 Thread Robert J. Hansen

> Whilst that is partially useful, surely it only vouches for the fact
> that the postings came from the same person and not who that person is -
> and as such is of very limited use.

Yes.  No.  Somewhere in between.

Some years ago a user on PGP-Basics was irate over how I refused to sign
my messages.  My argument was basically the one you were using: that
nobody on the list had verified my identity and that made my signatures
of marginal use.  This fellow insisted, and insisted rudely, so John
Clizbe, John W. Moore, and I all conspired together to make a point: we
created a keypair, shared it amongst us, and all three of us used the
exact same certificate to sign our emails.

It took a few months for anyone to notice.

So sure, yes, without identity verification it's hard to have confidence
in someone's legal identity, absolutely.  But even with identity
verification, most people don't even bother to check to see that the
signing certificate's email address matches the one on the email.
Identity verification is a useful step: it's not a sufficient one by itself.

> purpose - but it is a tad pointless.

Pointless in the sense of *legal* identity.  But there are many
identities other than the legal.

One of my favorite books, _Shibumi_, was written by an author named
Trevanian.  Trevanian was infamously private and withdrawn: there are
only a few interviews with him and they were all conducted via letter or
email.  Trevanian wrote books, had some amazing ideas and insights, and
was even responsible for a great Clint Eastwood movie (_The Eiger
Sanction_).  Trevanian was a real identity, as real as you could hope for.

And then there was Rodney William Whitaker, a professor at a small
American university who never amounted to very much.  Except that,
unbeknownst to the world at large, he was Trevanian.

So let's imagine, for sake of argument, that Trevanian had an OpenPGP
certificate which he used to sign all of his books, plays, and
screenplays, so that people could be confident they were reading an
authentic Trevanian work.  If I just read _The Eiger Sanction_, okay,
fine, that signature has little merit for me.  But then would come
_Shibumi_ and _The Summer of Katya_ and by the time _The Crazyladies of
Pearl Street_ came out I could be confident that if I saw Trevanian's
signature on an ebook, that ebook would be worth my hard-earned money.

Trevanian is an identity every bit as real as Rodney William Whitaker.
Trevanian can amass reputation, engage in interviews and communication,
opine on things, have fans and foes, the whole nine yards.  The only
thing Trevanian can't do is get a driver's license, because Trevanian
isn't a *legal* identity.

> are unless we meet. Keys should only ever be signed in person and if the
> person is not well known to you by sight, with some form of irrefutable
> photo evidence being presented along with the key signature - a
> passport, or something carrying equal weight.

No.  Absolutely not.  This is flat wrong.

You don't get to control what somebody else's signing policy is.  They
get to decide that on their own.  Neither you nor I nor anyone else gets
a vote in it.  We don't get to say what they should or should not do.

I have determined what *my own* signing policy is, and yes, it depends
on face to face meetings and identity documents.  That's because it
makes sense for my needs to do this.  But other people will have
different needs, and I've got no business telling them what their
signing policy should be.  Neither do you.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-01 Thread Robert J. Hansen

> Names are tremendously fluid instruments.  Charles Martel, the hero of
> France, didn't actually have a last name...

Oh, man -- I completely forgot the great one from modernity.  You can be
elected President under a pseudonym.  Not only that: *it's already
happened*.  President Ulysses Simpson Grant.

His real name was Hiram Ulysses Grant.  That's what's on his birth
certificate.  When he was seventeen he asked Congressman Thomas Hamer to
nominate him for West Point (the American Army's military college).
Hamer got the name wrong and wrote it down as "Ulysses Simpson Grant".
Grant refused to correct Hamer's error, though, as he thought that "U.S.
Grant" was a much better set of initials for a military officer than "HUG".

So if a pseudonym's good enough to get elected President of the United
States... is it a pseudonym at all?  Would you refuse to sign Ulysses S.
Grant's certificate on the grounds that "well, that isn't your *real* name"?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-01 Thread jonas hedman

On 15-10-01 13:05:28, Robert J. Hansen wrote:
> > Whilst that is partially useful, surely it only vouches for the fact
> > that the postings came from the same person and not who that person is -
> > and as such is of very limited use.
> 
> Yes.  No.  Somewhere in between.
> 
> Some years ago a user on PGP-Basics was irate over how I refused to sign
> my messages.  My argument was basically the one you were using: that
> nobody on the list had verified my identity and that made my signatures
> of marginal use.  This fellow insisted, and insisted rudely, so John
> Clizbe, John W. Moore, and I all conspired together to make a point: we
> created a keypair, shared it amongst us, and all three of us used the
> exact same certificate to sign our emails.
> 
> It took a few months for anyone to notice.
> 
> So sure, yes, without identity verification it's hard to have confidence
> in someone's legal identity, absolutely.  But even with identity
> verification, most people don't even bother to check to see that the
> signing certificate's email address matches the one on the email.
> Identity verification is a useful step: it's not a sufficient one by itself.

Doesn't all decent e-mail clients automagically check if a signature is
legit and matches the known public key?


/Jonas


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-01 Thread Robert J. Hansen

(This came just to me, not to the mailing list.  I'm assuming Bob
intended to reply-all and just hit the wrong button.  If I'm in error,
Bob, please forgive me.)

> What would be no use, and possibly harmful, would be to sign that 
> certificate just because you had seen it a couple of times - unless 
> you've met him and certified in person by some means that he is 
> indeed the owner of that pseudonym you cannot ask other people to 
> accept your opinion as to who he is or might be by signing his key.

This depends on what a certification means.

You have a belief that a certification must, _a priori_, be connected to
a legal identity.  This isn't necessarily true.  Imagine there are
thousands, millions, of self-styled prophets who announce tomorrow's
lottery numbers.  They sign each pronouncement.  One particular lottery
prophet has always been right.  Someone then asks you, "So this lottery
prophet, 0xBADD00D5F00DBAD, is he for-real?"

And you could say, "All I know is, the person who uses that certificate
has always been right so far."

And that would be a certification, and that would be a perfectly
appropriate usage of certification.  If other people want to project
onto your certification that the prophet's name is Maurice Micklewhite,
or whatever -- that's their projection and their folly, not yours.  Your
certification was accurate and appropriate.

> Sorry, I don't believe in gods, ghosts or pseudonyms - none of them 
> exist.

Neither does "Bob Henson".  The collection of bits that represent the
glyphs that make up "Bob Henson" has no more connection to you than the
word "gift" does to a ... well, to something.  In German it's poison, in
English it's a present.  Neither one is right or wrong.  What matters is
whether we can use a pseudonym to identify a figure, not whether that
actually happens to be the person's given name.

Look at how many people have read the teachings of Jesus Christ.  Are
his teachings any different just because his name was actually Isho?

Err -- well -- maybe it was Isho.  Probably.  But it was also probably
Yeshua ben Yosef.  Christ grew up speaking Aramaic in conversation and
Hebrew in the temple.  He had two names: in Aramaic he was Isho, in
Hebrew he was Yeshua, and after his death accidents of transliteration
into Greek turned Yeshua into Iesous, which then turned into Latin as
Iesus, and then when Latin invented the J- letter he became Jesus.  Look
at how many names that guy's had over the years, and during his life *no
two groups could agree on his legal name*.

Look at William Shakespeare.  We've got six of his signatures, and they
all have different spellings of his name:

* Willm Shakp
* William Shaksper
* Wm Shakspe
* William Shakspere
* Willm Shakspere
* William Shakespeare

... and these were all recognized as his legal name.  (All six
signatures are on legal documents.)

Names are tremendously fluid instruments.  Charles Martel, the hero of
France, didn't actually have a last name.  "Martel" is an appellation he
picked up on the battlefield: it means "hammer".  Chuck the Hammer was
so named because of how he beat the Moors at the Battle of Poitiers in
732.  Within a few years, the "pseudonym" of Martel became his very real
last name just by dint of how many Frenchmen would look at you funny if
you suggested his name was something *other* than Martel.

If you think pseudonyms don't exist, well--there are two possibilities I
can see.  If you're saying that "all names are really pseudonymous to
one degree or another, so it doesn't make sense to call some names true
names and some other ones fake", then I agree with you.  If you're
saying that "only true names exist and I insist on calling Jesus 'Isho',
Charles Martel 'Charles', William Shakespeare 'Wm Shakspe', and so on,"
then I think you're quite wrong.  :)

I dunno.  If any observant Jews want to argue with me that the
Tetragrammaton is the original true name and that everything else is
pseudonymous, I think that would be a fascinating theological argument
we should have off-list.  :)

> If there is no fairly fixed procedure and standard for signing

There have been a large number of well-meaning, well-intentioned people
who have wanted there to be one--but there isn't one and never has been.

> Why in all the years of use of PGP/GnuPG have the pundits always 
> advocated and laid down rules for key signing parties and face to 
> face meetings?

Nobody has.  They've laid down *guidelines*.  "We think this is a pretty
good procedure to follow, and here's why.  Ultimately, though, it's up
to you."

Last year I was sitting in the audience at a keysigning event emceed by
Samir Nassar.  Samir was absolutely fastidious about how he did things,
but at the same time, he wasn't walking through the aisles of chairs
making sure that everybody was double-checking two forms of government
ID.  How could he?  Crazy to even suggest it.  He did what he could,
accepted there

Re: How to get your first key signed

2015-10-01 Thread Robert J. Hansen

> Doesn't all decent e-mail clients automagically check if a signature is
> legit and matches the known public key?

Probably not "all", but a lot, yes.

The problem comes from you can't force a user to pay attention to a
warning.  Some years ago a friend of mine, Peter Likarish, invented a
browser plugin that would detect phishing sites.  When you hit a
suspected phishing site it would display a big red banner across the top
of the screen.  In controlled usability trials (he was a university
researcher), not a single person noticed the big red banner across the
top of the screen.  In exit interviews those who did notice it said they
assumed it was a banner ad and they just ignored it.

Users have become so accustomed to advertisements trying to attract
their attention that it's actually become difficult for apps to warn
people of real dangers.  This is a real concern in the usability field.
 It's a hard problem.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-01 Thread Christopher Beck

On 09/30/15 19:17, David Niklas wrote:
> Hello,
> I create for myself a gpg key and want to get it signed, however I've
> sent out half a dozen requests and so far I've gotten only negative
> responses to the effect that I must know so-and-so and we must met in
> person (considering that the person responds at all).
> Now, I'm a student (think penny less), and live in a rural area 100mi
> from the nearest LUG and people out here are _very_ computer illiterate
> to the point where educated people think that turning a computer off
> will damage it, or that the computer loses power (1GHz becomes .2GHZ),
> as it grows older. So no one has a key, at all. And they would not want
> to help create a web of trust even if I asked and explained it to them.
> They just don't believe in security around here (Oh, that would never
> happen to me! There are laws against that! You are a security freak.)
>
> I want to develop FOSS and feel obligated to get a key to protect uses
> of the software I'm modifying from MITM attacks.
>
> Thanks, David
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
Hi David,

I know that problem. But I did the following: I used "The Harvester" [1]
and did a search on the domain of my university on public key servers
and found out many people here, who use GPG. I just started e-mailing
some of them and met them to cross sign the keys. So my suggestion is,
look up the mail-addresses of a university when you are (for some
reasons) in that city. Okay, this requires you to travel, but you can
try that if you are in some other city for some reason.

I am active member of a local association and there are some people
using GPG, too. So to make it more comfortable to others, we created an
extra key, stored it on a smart-card and use this key to sing our keys.
This is uploaded on out website and people who trust out SSL-CA
(cacert.org) could think of trusting this key in addition to it's own
WoT. We also put up our finger-prints to the contact fields of our
members (from those, who have GPG).

Additionally, you could add your GPG-finger-print to every presentation
you'll hold at university. This might also help.

[1]: https://code.google.com/p/theharvester/
[2]:

-- 
I use GnuPG (GPG) for E-Mail encryption and signing. If you want some privacy, 
my public key ID is 2F9D4F14. The file "singature.asc" this message includes 
contains a cryptographic signature which enables you to verify this E-Mail 
really was written by me.

Christopher Beck, DL1CHB

Gerhart-Hauptmann-Str. 1
91058 Erlangen
Tel.: 09131 / 9245437
Fax.: 09131 / 8148708
Jabber: bec...@jabber.org

signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-10-01 Thread Guan Xin

On Thu, Oct 1, 2015 at 7:05 PM, Robert J. Hansen  wrote:
>
> Some years ago a user on PGP-Basics was irate over how I refused to sign
> my messages.  My argument was basically the one you were using: that
> nobody on the list had verified my identity and that made my signatures
> of marginal use.  This fellow insisted, and insisted rudely, so John
> Clizbe, John W. Moore, and I all conspired together to make a point: we
> created a keypair, shared it amongst us, and all three of us used the
> exact same certificate to sign our emails.
>
> It took a few months for anyone to notice.

So you three will share the same reputation on the mailing list.
If at least one of you commit crimes with your signed messages,
you will share the same legal liability unless proved not guilty
by other means, e.g. your private key was stolen or was derived
from your public key by the others, and etc..

I don't think that's a problem because it doesn't cause any confusion
neither online nor offline.

> So sure, yes, without identity verification it's hard to have confidence
> in someone's legal identity, absolutely.  But even with identity
> verification, most people don't even bother to check to see that the
> signing certificate's email address matches the one on the email.

It's sad to hear that anyone takes it seriously to check that
a certificate's email address matches the originating mail address.
This really messes things up in the sense that it causes
additional inconvenience with little benefit.

I sign my files with exactly the same key no matter if they were sent
from my private email, business email, with IM tools, via http or fax.
In the last three cases there is no originating email address to check.

Of course I can use different keys, but what's the point?
More keys, more smart cards, more easily lost or forgotten,
more difficult to recognize by eye from their fingerprints ...

Guan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-09-30 Thread Robert J. Hansen

> I create for myself a gpg key and want to get it signed

More important than whether your certificate gets signed is who signs
the certificate, who they are connected to, and so on.

Some people will sign almost anything.  People who get a reputation for
signing anything develop a reputation for their signatures being
meaningless.  Some people have very strong requirements before they'll
sign.  Their signatures are often worth quite a lot of credibility, but
good luck getting them.

The good news is this *can be done*.  I promise.

The best thing you can do right now is to get involved in the community.
 Get engaged in the mailing lists (here, PGP-Basics, Enigmail-Users are
three good ones).  And when you post, sign your messages.  Over time
people will come to trust that your signature connects to the real you,
even if they can't promise that your name really is David Niklas, or
can't say what you look like.

Once you've got a couple of years' track record of consistently using
the same certificate, consistently contributing to mailing lists and
FOSS projects, consistently being part of the solution and not part of
the problem ... I promise, you'll find people who are willing to vouch
for you.

There is no quick way, no shortcut.  But I think you'll find that
although it takes a while, it isn't hard, either.  :)

> Now, I'm a student (think penny less), and live in a rural area 100mi
> from the nearest LUG and people out here are _very_ computer illiterate
> to the point where educated people think that turning a computer off
> will damage it, or that the computer loses power (1GHz becomes .2GHZ),
> as it grows older.

I grew up on a farm in the middle of nowhere.  I know *exactly* what
that's like.

> I want to develop FOSS and feel obligated to get a key to protect uses
> of the software I'm modifying from MITM attacks.

So, first, host your software publicly, somewhere that it's easy to
find.  GitHub works great, but there are a lot of options.  On whatever
page you use for your FOSS work, put a notice that says "My GnuPG
certificate is 0xDEADBEEFDECAFBAD, and you can download signatures for
all the tarballs over here."

It works.  Seriously.  :)

Welcome to the community!



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

2015-09-30 Thread Ingo Klöcker

On Wednesday 30 September 2015 15:58:51 Robert J. Hansen wrote:
> > I create for myself a gpg key and want to get it signed
> 
> More important than whether your certificate gets signed is who signs
> the certificate, who they are connected to, and so on.
> 
> Some people will sign almost anything.  People who get a reputation
> for signing anything develop a reputation for their signatures being
> meaningless.  Some people have very strong requirements before
> they'll sign.  Their signatures are often worth quite a lot of
> credibility, but good luck getting them.
> 
> The good news is this *can be done*.  I promise.
> 
> The best thing you can do right now is to get involved in the
> community. Get engaged in the mailing lists (here, PGP-Basics,
> Enigmail-Users are three good ones).  And when you post, sign your
> messages.  Over time people will come to trust that your signature
> connects to the real you, even if they can't promise that your name
> really is David Niklas, or can't say what you look like.

Additionally to what Robert wrote you should upload your key 
(0x9B75C2AE183660FF) to the keyservers. Otherwise, nobody can check your 
signatures. I tried to download it, but failed:

# gpg --recv-keys 0x9B75C2AE183660FF
gpg: requesting key 183660FF from hkp server pool.sks-keyservers.net
gpgkeys: key 9B75C2AE183660FF not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Regards,
Ingo

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

42 matches

Mail list logo