Re: [Foundation-l] PGP-keysign at the tech/chapter-meeting
DaB. wrote: Hello all, I think that when such a number of people come together it would be nice to have a key-signing in Berlin. If you have no idea, what a key-signing is, look at the wikipedia-article [[en:Key_signing_party]]. Private keys can be compromised by anyone with a whim and a few thousand dollars, either physically by compromise of the device, or remotely by social engineering or zero-day exploit. Key signing parties are premised on the idea that private keys are really private. Since they aren't, the additional security of a real-life meeting is somewhat farcical. Maybe in the crypto-anarchist fantasy future, filled with hostile corporations and goverments, it would make sense. But in the real world, I think the SSL hierarchy provides a better model. It has a central authority with some competence in identity verification and security, which can issue a revocation certificate even if someone burns your house down. And you can verify the authenticity of a public key even if you don't have any friends. My vote is for a Guitar Hero party instead. -- Tim Starling ___ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Re: [Foundation-l] PGP-keysign at the tech/chapter-meeting
2009/3/31 DaB. w...@daniel.baur4.info: Hello all, I think that when such a number of people come together it would be nice to have a key-signing in Berlin. If you have no idea, what a key-signing is, look at the wikipedia-article [[en:Key_signing_party]]. If you don't own a pgp-key yet and are an linux-user there are several how-tos on the net to get one fast (there are how-tos for windows-users too, but it's more complex, but that doesn't need to stop you). Because there is no time (and place) for a hash-methode-keysigning (you know, all standing in a line for hours ;)), I would organise a list-methode-keysigning. That means that you send me *Your nick (if you have one) *Your realname (optional, but some people don't sign non-realname-keys) *Your keynumber *Your key-hash *Your key (if it is not on normal key-servers) I think that better idea would be to try to implement RFC:2549 protocol. If successfull we could keep communication between chapters and developers meetings in case of electricy shortage in Berlin ;-) -- Tomek Polimerek Ganicz http://pl.wikimedia.org/wiki/User:Polimerek http://www.ganicz.pl/poli/ http://www.ptchem.lodz.pl/en/TomaszGanicz.html ___ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Re: [Foundation-l] PGP-keysign at the tech/chapter-meeting
On Wed, Apr 1, 2009 at 8:51 AM, Tim Starling tstarl...@wikimedia.org wrote: Private keys can be compromised by anyone with a whim and a few thousand dollars, either physically by compromise of the device, or remotely by social engineering or zero-day exploit. Key signing parties are premised on the idea that private keys are really private. Since they aren't, the additional security of a real-life meeting is somewhat farcical. Moreover, what's to stop someone from showing up and claiming to be you? How are you going to confirm that -- by their telling you they're coming and what they look like, over the Internet? Why don't they just sign your keys over the Internet and skip the middle-man? Not to be negative or anything, sorry. (I'm not even going to be there.) ___ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
[Foundation-l] PGP-keysign at the tech/chapter-meeting
Hello all, I think that when such a number of people come together it would be nice to have a key-signing in Berlin. If you have no idea, what a key-signing is, look at the wikipedia-article [[en:Key_signing_party]]. If you don't own a pgp-key yet and are an linux-user there are several how-tos on the net to get one fast (there are how-tos for windows-users too, but it's more complex, but that doesn't need to stop you). Because there is no time (and place) for a hash-methode-keysigning (you know, all standing in a line for hours ;)), I would organise a list-methode-keysigning. That means that you send me *Your nick (if you have one) *Your realname (optional, but some people don't sign non-realname-keys) *Your keynumber *Your key-hash *Your key (if it is not on normal key-servers) to p...@daniel.baur4.info. I will make a list of that data. Then I (respectively the verein) will print out several copies of that list and place them at central places (like the reception or the c-base) for hand-out. You can also place sticker on your nameplate (to let people easier find you) if you like (I have colorful sticker-dots here ;)). You will take such an list and start looking for other people, that stand on the list, check your hash on his/her list and his/her hash on your list and mark your name as checked on his/her list and his/her name on your list if all is right. Then continue until all entries on your list are checked (or the meeting is over). It would be very nice if many people would participate to increase the level of trust (at least the key-trust) between us. Follow up to foundation-list. Sincerly, DaB. P.S: Even if you come just to the party on saturday, you can take part! 2.P.S: I organize a key-signing for the first time, so please be patient if I did anything wrong. -- Diese eMail sollte mit dem PGP-Schlüssel 0x2D3EE2D42B255885 digital signiert sein. Bitte beachten Sie, das unsignierte eMails beliebig gefälscht sein können. Achten Sie daher auf Signaturen. signature.asc Description: This is a digitally signed message part. ___ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l