Re: [Cryptography] PGP Key Signing parties
I am one of the organizers of Security BSides Delaware, otherwise known as BSidesDE. We have already discussed having a key signing party, but if there is any interest, I'd love for any of you to be there, and potentially run it. Check out bsidesdelaware.com for dates, locations, and such. It's an academic environment, and we will have several hundred people there, from college students, to business, to infosec professionals. And we're only a couple of hours from the NSA!! ;) Nov 8 and 9th, Wilmington, DE. Any interest? Joshua Marpet On Sat, Oct 12, 2013 at 8:00 AM, Stephen Farrell wrote: > > If someone wants to try organise a pgp key signing party at > the Vancouver IETF next month let me know and I can organise a > room/time. That's tended not to happen since Ted and Jeff > don't come along but we could re-start 'em if there's interest. > > S. > ___ > The cryptography mailing list > cryptography@metzdowd.com > http://www.metzdowd.com/mailman/listinfo/cryptography > -- *Joshua A. Marpet* Managing Principal *GuardedRisk* ** *Before the Breach **and **After The Incident!* * * 1-855-23G-RISK (855-234-7475) Cell: (908) 916-7764 joshua.mar...@guardedrisk.com http://www.GuardedRisk.com ** ** *This communication (including any attachments) contains privileged and confidential information from GuardedRisk which is intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you may not read, copy, distribute, or use this information, and no privilege has been waived by your inadvertent receipt. Furthermore, you should delete this communication and / or shred the materials and any attachments and are hereby notified that any disclosure, copying, or distribution of this communication, or the taking of any action based on it, is strictly prohibited.* ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
If someone wants to try organise a pgp key signing party at the Vancouver IETF next month let me know and I can organise a room/time. That's tended not to happen since Ted and Jeff don't come along but we could re-start 'em if there's interest. S. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
On 2013-10-11 12:03:44 +0100 (+0100), Tony Naggs wrote:
> Do key signing parties even happen much anymore? The last time I saw
> one advertised was around PGP 2.6!
[...]
Within more active pockets of the global free software community
(where OpenPGP signatures are used to authenticate release
artifacts, security advisories, election ballots, access controls
and so on) key signing parties are an extremely common occurrence...
I'd say much more so now than a decade ago, as the community has
grown continually and developed an increasing need to be able to
recognize one another's output in a verifiable manner,
asynchronously, distributed over great distances and across
loosely-related subcommunities/projects.
--
{ PGP( 48F9961143495829 ); FINGER( fu...@cthulhu.yuggoth.org );
WWW( http://fungi.yuggoth.org/ ); IRC( fu...@irc.yuggoth.org#ccl );
WHOIS( STANL3-ARIN ); MUD( kin...@katarsis.mudpy.org:6669 ); }
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
On 2013-10-11, at 07:03, Tony Naggs wrote: > On 10 October 2013 22:31, John Gilmore wrote: >>> Does PGP have any particular support for key signing parties built in or is >>> this just something that has grown up as a practice of use? >> >> It's just a practice. I agree that building a small amount of automation >> for key signing parties would improve the web of trust. > > Do key signing parties even happen much anymore? The last time I saw > one advertised was around PGP 2.6! The most recent key signing party I attended was five days ago (DNS-OARC meeting in Phoenix, AZ). I commonly have half a dozen opportunities to participate in key signing parties during a typical year's travel schedule to workshops, conferences and other meetings. This is not uncommon in the circles I work in (netops, dnsops). My habit before signing anything is generally at least to have had a conversation with someone, observed their interactions with people I do know (I generally have worked with other people at the party). I'll check government-issued IDs, but I'm aware that I am not an expert in counterfeit passports and I never feel like that I am able to do a good job at it. (I showed up to a key signing party at the IETF once with a New Zealand passport, a Canadian passport, a British passport, an expired Canadian permanent-resident card, three driving licences and a Canadian health card, and offered the bundle to anybody who cared to review them to make this easier for others. But that was mainly showing off.) I have used key ceremonies to poison edges and nodes in the graph of trust following observations that particular individuals don't do a good enough job of this, or that (in some cases) they appear to have made signatures at an event where I was present and I know they were not. That's a useful adjunct to a key ceremony (I think) that many people ignore. The web of trust can also be a useful web of distrust. Joe ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
On 10 October 2013 22:31, John Gilmore wrote: >> Does PGP have any particular support for key signing parties built in or is >> this just something that has grown up as a practice of use? > > It's just a practice. I agree that building a small amount of automation > for key signing parties would improve the web of trust. Do key signing parties even happen much anymore? The last time I saw one advertised was around PGP 2.6! >> I am specifically thinking of ways that key signing parties might be made >> scalable so that it was possible for hundreds of thousands of people... > > An important user experience point is that we should be teaching GPG > users to only sign the keys of people who they personally know. > Having a signature that says, "This person attended the RSA conference > in October 2013" is not particularly useful. (Such a signature could > be generated by the conference organizers themselves, if they wanted > to.) Since the conference organizers -- and most other attendees -- > don't know what an attendee's real identity is, their signature on > that identity is worthless anyway. I can sign the public keys of people I personally know without a key signing party. :-) For many purposes I don't care about a person's official, legal identity, but I do want to communicate with a particular persona. For instance at DefCon or CCC I neither know or care whether someone identifies themselves to me by their legal name or hacker handle, but it is very useful to know & authenticate that they are in control of a private PGP/GPG key in that name on a particular date. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
Glenn Willen writes: >I am going to be interested to hear what the rest of the list says about >this, because this definitely contradicts what has been presented to me as >'standard practice' for PGP use -- verifying identity using government issued >ID, and completely ignoring personal knowledge. I've very rarely used that (would you recognise a fake European ID card, or NZ passport, if you saw one?), I've always used either direct personal knowledge or personal WoT, i.e. an introduction from someone I know, in person. This is exactly how organised crime does it (see "Codes of the Underworld: How Criminals Communicate" by Diego Gambetta, damn good read), and it's extremely effective, if you think your generic APT requires effort then look at what it takes for law enforcement to get someone inside an organised crime ring. Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
On 11/10/13 02:24 AM, Glenn Willen wrote: John, On Oct 10, 2013, at 2:31 PM, John Gilmore wrote: ... Signing them would assert to any stranger that "I know that this key belongs to this identity", which would be false and would undermine the strength of the web of trust. Where is this writ? I am going to be interested to hear what the rest of the list says about this, because this definitely contradicts what has been presented to me as 'standard practice' for PGP use -- verifying identity using government issued ID, and completely ignoring personal knowledge. +1 I grew up in the "sign-on-first-meet" doctrine. Do you have any insight into what proportion of PGP/GPG users mean their signatures as "personal knowledge" (my preference and evidently yours), versus "government ID" (my perception of the community standard "best practice"), versus "no verification in particular" (my perception of the actual common practice in many cases)? Good question. (In my ideal world, we'd have a machine readable way of indication what sort of verification was performed. Signing policies, not being machine readable or widely used, don't cover this well. There is space for key-value annotations in signature packets, which could help with this if we standardized on some.) Right. A signature has to mean something. What is that something? The CA world is mumble mumble over semantics, whereas the PGP world openly offers incompatible conventions. Which is better or worse is beyond me. iang ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
On 2013-10-10 (283), at 19:24:19, Glenn Willen wrote: > John, > > On Oct 10, 2013, at 2:31 PM, John Gilmore wrote: >> >> An important user experience point is that we should be teaching GPG >> users to only sign the keys of people who they personally know. [] >> would be false and would undermine the strength of the web of trust. > > I am going to be interested to hear what the rest of the list says about > this, because this definitely contradicts what has been presented to me as > 'standard practice' for PGP use -- verifying identity using government issued > ID, and completely ignoring personal knowledge. > > Do you have any insight into what proportion of PGP/GPG users mean their > signatures as "personal knowledge" (my preference and evidently yours), > versus "government ID" (my perception of the community standard "best > practice"), versus "no verification in particular" (my perception of the > actual common practice in many cases)? > > (In my ideal world, we'd have a machine readable way of indication what sort > of verification was performed. Signing policies, not being machine readable > or widely used, don't cover this well. There is space for key-value > annotations in signature packets, which could help with this if we > standardized on some.) > > Glenn Willen > __ Surely to make it two factor it needs to be someone you know _and_ something they have? :-) __outer ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
Reply to various, Yes, the value in a given key signing is weak, in fact every link in the web of trust is terribly weak. However, if you notarize and publish the links in CT fashion then I can show that they actually become very strong. I might not have good evidence of John Gilmore's key at RSA 2001, but I could get very strong evidence that someone signed a JG key at RSA 2001. Which is actually quite a high bar since the attacker would haver to buy a badge which is $2,000. Even if they were going to go anyway and it is a sunk cost, they are rate limited. The other attacks John raised are valid but I think they can be dealt with by adequate design of the ceremony to ensure that it is transparent. Now stack that information alongside other endorsements and we can arrive at a pretty strong authentication mechanism. The various mechanisms used to evaluate the trust can also be expressed in the endorsement links. What I am trying to solve here is the distance problem in Web o' trust. At the moment it is pretty well impossible for me to have confidence in keys for people who are ten degrees out. Yet I am pretty confident of the accuracy of histories of what happened 300 years ago (within certain limits). It is pretty easy to fake a web of trust, I can do it on one computer, no trouble. But if the web is grounded at just a few points to actual events then it becomes very difficult to spoof. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
On Thu, Oct 10, 2013 at 04:24:19PM -0700, Glenn Willen wrote: > I am going to be interested to hear what the rest of the list says about > this, because this definitely contradicts what has been presented to me as > 'standard practice' for PGP use -- verifying identity using government issued > ID, and completely ignoring personal knowledge. This obviously ignores the threat model of official fake IDs. This is not just academic for some users. Plus, if you're e.g. linking up with known friends in RetroShare (which implements identities via PGP keys, and degrees of trust (none/marginal/full) by signatures, and allows you to tune your co-operative variables (Anonymous routing/discovery/ forums/channels/use a direct source, if available) depending on the degree of trust. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
On Oct 10, 2013, at 2:31 PM, John Gilmore wrote: >> Does PGP have any particular support for key signing parties built in or is >> this just something that has grown up as a practice of use? > > It's just a practice. I agree that building a small amount of automation > for key signing parties would improve the web of trust. > > I have started on a prototype that would automate small key signing > parties (as small as 2 people, as large as a few dozen) where everyone > present has a computer or phone that is on the same wired or wireless > LAN. Phil Zimmerman and Jon Callas had started to work on that around 1998, they might still have some of that design around. --Paul Hoffman ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
John, On Oct 10, 2013, at 2:31 PM, John Gilmore wrote: > > An important user experience point is that we should be teaching GPG > users to only sign the keys of people who they personally know. > Having a signature that says, "This person attended the RSA conference > in October 2013" is not particularly useful. (Such a signature could > be generated by the conference organizers themselves, if they wanted > to.) Since the conference organizers -- and most other attendees -- > don't know what an attendee's real identity is, their signature on > that identity is worthless anyway. > > So, if I participate in a key signing party with a dozen people, but I > only personally know four of them, I will only sign the keys of those > four. I may have learned a public key for each of the dozen, but that > is separate from me signing those keys. Signing them would assert to > any stranger that "I know that this key belongs to this identity", which > would be false and would undermine the strength of the web of trust. I am going to be interested to hear what the rest of the list says about this, because this definitely contradicts what has been presented to me as 'standard practice' for PGP use -- verifying identity using government issued ID, and completely ignoring personal knowledge. Do you have any insight into what proportion of PGP/GPG users mean their signatures as "personal knowledge" (my preference and evidently yours), versus "government ID" (my perception of the community standard "best practice"), versus "no verification in particular" (my perception of the actual common practice in many cases)? (In my ideal world, we'd have a machine readable way of indication what sort of verification was performed. Signing policies, not being machine readable or widely used, don't cover this well. There is space for key-value annotations in signature packets, which could help with this if we standardized on some.) Glenn Willen ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
> Does PGP have any particular support for key signing parties built in or is > this just something that has grown up as a practice of use? It's just a practice. I agree that building a small amount of automation for key signing parties would improve the web of trust. I have started on a prototype that would automate small key signing parties (as small as 2 people, as large as a few dozen) where everyone present has a computer or phone that is on the same wired or wireless LAN. > I am specifically thinking of ways that key signing parties might be made > scalable so that it was possible for hundreds of thousands of people... An important user experience point is that we should be teaching GPG users to only sign the keys of people who they personally know. Having a signature that says, "This person attended the RSA conference in October 2013" is not particularly useful. (Such a signature could be generated by the conference organizers themselves, if they wanted to.) Since the conference organizers -- and most other attendees -- don't know what an attendee's real identity is, their signature on that identity is worthless anyway. So, if I participate in a key signing party with a dozen people, but I only personally know four of them, I will only sign the keys of those four. I may have learned a public key for each of the dozen, but that is separate from me signing those keys. Signing them would assert to any stranger that "I know that this key belongs to this identity", which would be false and would undermine the strength of the web of trust. John ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
