Re: Hybrid keysigning party, your opinion?

[Nils Vogels]

Hey Peter, and list!

Peter Lebbing schreef op 2017-02-20 17:58:

On 19/02/17 21:16, Nils Vogels wrote:
I'll read up on this thread from the archives, but I'm exploring 
possibilities
to enhance the FOSDEM format with the use of QR for on-the-spot 
signing for
those who want to and don't mind having signatures submitted by 
signers to

keyservers.


Thank you for organizing a party! I'm definitely up for assisting with 
the

organization.



The keysigning party has been scheduled for monday 7/8/17, and I'm 
drafting the wiki pages with instructions as we speak, using a slightly 
modernized Sassaman-Efficient protocol, and see where we go from there.


Feel free to check out https://program.sha2017.org/events/245.html and 
https://wiki.sha2017.org/w/Keysigning-Party, and offcourse, join in! :)


Regards,
Nils

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 19/02/17 21:16, Nils Vogels wrote:
> I'll read up on this thread from the archives, but I'm exploring possibilities
> to enhance the FOSDEM format with the use of QR for on-the-spot signing for
> those who want to and don't mind having signatures submitted by signers to
> keyservers.

Thank you for organizing a party! I'm definitely up for assisting with the
organization.

I'd first have to look up on the FOSDEM format. The QR codes are indeed a nice
addition, however, it is inherently restricted to just a part of the attendees.
I don't trust my phone with my certifications, and holding a laptop with webcam
is really awkward and I might even drop it.

Normally I'd leave my certification-capable smartcard at home as well.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Nils Vogels]

Hey Peter, 

I've submitted a keysigning party at sha2017 earlier,  so we should have a slot 
to try something out.

I'll read up on this thread from the archives,  but I'm exploring possibilities 
to enhance the FOSDEM format with the use of QR for on-the-spot signing for 
those who want to and don't mind having signatures submitted by signers to 
keyservers. 


On 18 February 2017 16:15:04 CET, Peter Lebbing  wrote:
>Hello Lachlan,
>
>
>On 15/02/17 14:32, Lachlan Gunn wrote:
>> Given the discussion on the list before, now that CCC has come and
>gone
>> I'm curious as to how well this worked.
>
>It failed on a trivial point: by the Friday before the congress, I had
>only
>received four signups. A list with five keys is a poor list indeed. I
>switched
>the model to the classic "bring keyslips" model.
>
>> Is it an innovation worth
>> perpetuating?
>
>I think it would work. I'd like to try again.
>
>In fact, given that we don't need to place trust in the paper copies, I
>think it
>would actually work if I kept sign-up open until just before the party,
>and
>printed a stack of "scrubbed" lists myself to hand out. However, it was
>my
>feeling that some people would not feel comfortable with this
>brand-spanking-new
>"no need to trust me, really! Have my stuff" type of lists, so I didn't
>do that.
>I intended to cater to the untrusting crowd by giving them enough time
>to print
>their own lists and do it the in the usual Sassaman Efficient way.
>
>Given that this would have, on the flip side, catered to the handful of
>people
>who showed up without keyslips, perhaps it would still be a fair
>tradeoff for
>limiting the untrusting people in their possibilities.
>
>You could receive sign-ups by e-mail until the latest moment, and you
>would
>print the untrusted lists so anybody who didn't bring any keyslips
>could still
>be on that list by signing up.
>
>Note that there is no value judgement in how I use "untrusting" here,
>it's just
>a way to sum up a group of people in a single adjective.
>
>Next opportunity for a keysigning party for me will be SHA 2017,
>starting the
>4th of August in Zeewolde, The Netherlands[1].
>O Come, All Ye Hackful! Adeste Fiddle-es[2]!
>
>Cheers,
>
>Peter.
>
>[1] 
>[2] Fiddle-es: those who tinker.
>
>-- 
>I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
>You can send me encrypted mail if you want some privacy.
>My key is available at
>

-- 
Sent from my mobile device. Please excuse my brevity.___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2017-02-19 à 01:45, Peter Lebbing a écrit :
> It failed on a trivial point: by the Friday before the congress, I had only
> received four signups. A list with five keys is a poor list indeed. I switched
> the model to the classic "bring keyslips" model.

Ah, fair enough.  That's a bit unfortunate, but thanks for the report!

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Philip Jackson]

On 18/02/17 16:15, Peter Lebbing wrote:
> O Come, All Ye Hackful! Adeste Fiddle-es[2]!
Yea !

Philip



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

Hello Lachlan,


On 15/02/17 14:32, Lachlan Gunn wrote:
> Given the discussion on the list before, now that CCC has come and gone
> I'm curious as to how well this worked.

It failed on a trivial point: by the Friday before the congress, I had only
received four signups. A list with five keys is a poor list indeed. I switched
the model to the classic "bring keyslips" model.

> Is it an innovation worth
> perpetuating?

I think it would work. I'd like to try again.

In fact, given that we don't need to place trust in the paper copies, I think it
would actually work if I kept sign-up open until just before the party, and
printed a stack of "scrubbed" lists myself to hand out. However, it was my
feeling that some people would not feel comfortable with this brand-spanking-new
"no need to trust me, really! Have my stuff" type of lists, so I didn't do that.
I intended to cater to the untrusting crowd by giving them enough time to print
their own lists and do it the in the usual Sassaman Efficient way.

Given that this would have, on the flip side, catered to the handful of people
who showed up without keyslips, perhaps it would still be a fair tradeoff for
limiting the untrusting people in their possibilities.

You could receive sign-ups by e-mail until the latest moment, and you would
print the untrusted lists so anybody who didn't bring any keyslips could still
be on that list by signing up.

Note that there is no value judgement in how I use "untrusting" here, it's just
a way to sum up a group of people in a single adjective.

Next opportunity for a keysigning party for me will be SHA 2017, starting the
4th of August in Zeewolde, The Netherlands[1].
O Come, All Ye Hackful! Adeste Fiddle-es[2]!

Cheers,

Peter.

[1] 
[2] Fiddle-es: those who tinker.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Hello,

Le 2016-12-05 à 00:03, Peter Lebbing a écrit :
> I am asking for your thoughts on a variant of the organization of the
> keysigning party. I'll explain my reasoning and intentions, and I would
> like to know if you think I forgot to think of something important. Is
> there a way a malicious party could get people to sign the wrong UID,
> because I didn't think of that way? I'm not interested in ways people
> could cheat at the usual "informal" keysigning party model, with
> exchanging paper keyslips. This is because this would be my fallback
> model, if the proposed model doesn't work out. So I'm only interested in
> cases where the proposed model introduces extra issues compared to the
> informal exchanging keyslips model.


Given the discussion on the list before, now that CCC has come and gone
I'm curious as to how well this worked.  Is it an innovation worth
perpetuating?

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2016-12-14 à 04:34, Peter Lebbing a écrit :
> Oh, not at all, I hadn't even noticed one could see it that way.

My bad; such is the life of the email-user.

> Or hang a truly huge printout on the wall and at the start of the
> session, together observe that it is correct. Any latecomers can be told
> "look, everybody thinks it's completely normal that we have a 64 digit
> hex code on the wall, and that's because we all agreed it's the right one".

Yes, with paper that would work.  I rejected it because I was imagining
a projector, which obviously could change the hash halfway through.

Thanks,
Lachlan




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 12/12/16 06:27, Lachlan Gunn wrote:
> My apologies if I came across as overly harsh.

Oh, not at all, I hadn't even noticed one could see it that way.

. What I meant was that it
> took me a little bit of time to work out exactly what you meant, so
> someone unfamilar with the web of trust will probably not follow
> exactly;

This was a mail to a crypto-mailing list asking cryppies for advice on
how to cripple... er... subvert a certain setup. Totally different audience!

> One last thought: This may be naïvely optimistic, but if everyone
> finishes at the same time then you can always do a second confirmation
> of the list-hash at the end for people who are late to the session.

Hmm, interesting idea. Could be possible.

>  Or
> if you're into arts and crafts, give them a copy of the master hash on
> overhead transparency that they can use to very quickly check against
> someone else's.

Or hang a truly huge printout on the wall and at the start of the
session, together observe that it is correct. Any latecomers can be told
"look, everybody thinks it's completely normal that we have a 64 digit
hex code on the wall, and that's because we all agreed it's the right one".

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 12/12/16 07:02, Lachlan Gunn wrote:
> Also, while I promised to forever hold my peace, you might want to give
> people a a programmatic way to make the scrubbed list so that those who
> print their own don't need to manually verify it.

If they want to have a known good copy, they can just print the detailed
list!

They then also have the opportunity to have gpgsigs annotate it with the
signatures they already did at an earlier keysigning party, saving them
the trouble of re-identifying someone for nothing. (Note that not all
people consider this "for nothing", some actually like to have a new
signature).

> The //d (rather
> than s///) is important because unless it makes the list shorter, there
> isn't any incentive to go to the trouble :)

I chose to replace them by empty lines so the lists still line up if you
choose the screen font to be a similar size as the printed font. I will
be literally holding my paper list next to my monitor, it's useful if
they line up and all information that is the same looks exactly the
same. You spot errors much quicker that way.

Thanks for your thoughts,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2016-12-12 à 03:45, Peter Lebbing a écrit :
> My e-mail was 1424 words though, so I am afraid I ended up in your
> wishful thinking area.
> 
> The remaining 1607 words are in the sections "Background" and "Option
> for advanced users", and those words happen to include the name Lachlan.
> Go check it out! ;-P

My apologies if I came across as overly harsh.  What I meant was that it
took me a little bit of time to work out exactly what you meant, so
someone unfamilar with the web of trust will probably not follow
exactly; it may just have been that I went through your email too late
at night. Something along the lines of the following might make it more
clear to everyone who is familiar with the hashed-list approach:

Those who are in the advance list are certified in the usual way,
and latecomers hand out keyslips in order to get themselves
certified.

If you are late you need to check when you get home
that the names and serial numbers on the form that we gave
out match those on the one whose hash is on the projector.

But this is just me nitpicking about presentation.  I think the idea is
good, and falls into that wonderful category of things that are obvious
in retrospect, but in need of someone clever to make the breakthrough
without the benefit of hindsight.

One last thought: This may be naïvely optimistic, but if everyone
finishes at the same time then you can always do a second confirmation
of the list-hash at the end for people who are late to the session.  Or
if you're into arts and crafts, give them a copy of the master hash on
overhead transparency that they can use to very quickly check against
someone else's.

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2016-12-12 à 03:45, Peter Lebbing a écrit :
> I really like this suggestion! I had to think about it for a while
> before I could see a way to make it work. The trouble is that I want
> caff to be able to process the file, and for that I need to keep it
> having much of the same patterns. I ended up not significantly altering
> the two files compared to what I proposed, but instead suggesting
> everybody should use the scrubbed version. That way, the instructions
> are the same for all participants.

Also, while I promised to forever hold my peace, you might want to give
people a a programmatic way to make the scrubbed list so that those who
print their own don't need to manually verify it.  This might add too
much complexity, so I don't know whether it is worthwhile.

Something like

sed -re '/^(pub|\s+Key fingerprint).*$/d' scrubbed.txt

is easy enough to verify by eye as not being a trick.  The //d (rather
than s///) is important because unless it makes the list shorter, there
isn't any incentive to go to the trouble :)

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Recording keysigning attendants on phone (was: Hybrid keysigning party, your opinion?)

[Lachlan Gunn]

Le 2016-12-08 à 22:30, Stephan Beck a écrit :
> Yes, to your first question. How you would do that via the
> hash-on-the-projector method, is not clear to me, though. Would that be
> for generating the (initial) list of the organizers as in Sassaman
> Efficient (as an additional service for people using cell phones or
> tablets)? Or wouldn't there be any paper copy at the event?
> Sorry, for questions that might seem obvious to you.

Yes, sorry.  There wouldn't be any paper copy, which might be a problem,
unless you have a printer available to produce printed copies on demand
which can be checked later.

The idea is to allow people to add themselves to the list right up until
the last minute, then someone cuts the ribbon, the system emails it to
everyone and displays it on the projector, and they all follow either
the standard Sassaman method or Peter's hybrid one.

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

(OT) Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 11/12/16 21:37, Robert J. Hansen wrote:
> Peter's correction was made in a spirit of utterly pedantic attention
> to detail [a spirit I share!]

Hah! Guilty as charged :-).

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Robert J. Hansen]

> Or you might not because it was based on a stupid thinking error on my
> side. Let's make it "a chance of 1 in 2^128", which could be the chance
> of you trying a symmetric encryption key and actually being right about it.

I'm glad you made the correction: that error was so profound.  :)


(For those not up on their large-number theory: the difference is
insignificant.  Peter's correction was made in a spirit of utterly
pedantic attention to detail [a spirit I share!], not because it mattered.)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 11/12/16 18:22, Peter Lebbing wrote:
> You might recognise the chosen quantity :-).

Or you might not because it was based on a stupid thinking error on my
side. Let's make it "a chance of 1 in 2^128", which could be the chance
of you trying a symmetric encryption key and actually being right about it.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 08/12/16 15:08, Lachlan Gunn wrote:
> Can't they get this from the other participants in the line?  Checking
> with a few people at random gives reasonable assurance that this is what
> was agreed on at the beginning, or they can check them all if they want
> to be certain.

Personally, I find checking a few other participants to be too weak an
assurance. I don't believe in security by numbers. If I'm dealing with
statistics, I want them to be on the order of "chance of one in 2^127".
You might recognise the chosen quantity :-). But everybody is free to
decide their own policy.

And checking at everyone would hold up the process; it's 64 hex digits
to verify!

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 08/12/16 14:51, Lachlan Gunn wrote:
> Personally I am of the mind that anything longer than that email is
> wishful thinking, you have to get people to actually follow it.

The e-mail wasn't meant to be the text for participants. I've spent all
afternoon writing a text at the 33C3 wiki[1], but only part of it is
meant to be read by everyone, or essentially, everyone who wants to know
more than the most basic. It's 1764 words. I've tried to restrict it to
the important things, and I feel that cutting it further down would lose
important information. I don't think it's necessary for everyone to read
the whole section, though.

My e-mail was 1424 words though, so I am afraid I ended up in your
wishful thinking area.

The remaining 1607 words are in the sections "Background" and "Option
for advanced users", and those words happen to include the name Lachlan.
Go check it out! ;-P

> To this end, another suggestion is to make the forms that they fill in
> identical, whether or not they are late.  You could do this by putting
> the fingerprints at the end of the primary document and just printing
> out the first bit for latecomers.  This might save some "I don't know
> how your form works, I have the prearranged one" on the day.

I really like this suggestion! I had to think about it for a while
before I could see a way to make it work. The trouble is that I want
caff to be able to process the file, and for that I need to keep it
having much of the same patterns. I ended up not significantly altering
the two files compared to what I proposed, but instead suggesting
everybody should use the scrubbed version. That way, the instructions
are the same for all participants.

Thank you,

Peter.

[1] https://events.ccc.de/congress/2016/wiki/Session:Keysigning_party

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Stephan Beck]

Peter Lebbing:
> On 08/12/16 14:14, Stephan Beck wrote:
>> Just some meditations:
>>
>> So, the late attendees can see and hear that the ordinary participants 
>> confirm the checksum and that their fingerprints check out?
> 
> Yes, the late attendees definitely need to be there at the beginning of the
> party, verifying that the SHA256 checksum printed at the top of their scrubbed
> list is the one being read aloud and hearing everybody confirm their 
> fingerprint
> is correct.
[...]

Thanks, Peter. No more open questions!
As with everything, I think I'd have to set up such an event and go
through its practical application (or participate in one) to become more
expert. Let me see if there are any in my region.

Stephan


0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2016-12-09 à 00:25, Peter Lebbing a écrit :
> Yes, the late attendees definitely need to be there at the beginning of the
> party, verifying that the SHA256 checksum printed at the top of their scrubbed
> list is the one being read aloud and hearing everybody confirm their 
> fingerprint
> is correct.

Can't they get this from the other participants in the line?  Checking
with a few people at random gives reasonable assurance that this is what
was agreed on at the beginning, or they can check them all if they want
to be certain.

Thanks,
Lachlan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2016-12-08 à 22:05, Peter Lebbing a écrit :
> Stephan and Lachlan, thank you for thinking about this! I need to make a
> decision soon, I really need feedback!

Not a problem, efficient keysigning is something I've been pondering for
a while, so I'm really glad to see people working in the area.

> I wouldn't say my information is detailed actually, I could write a *lot* more
> about proper procedure. But I hoped I didn't have to, instead just focussing 
> on
> what I wanted to do *differently* from usual.

Personally I am of the mind that anything longer than that email is
wishful thinking, you have to get people to actually follow it.  The
ones who need to do it are also only the ones who weren't organised in
advance, so I think keep the extra work to a minimum if you want to
maximise the useful signatures from them.

To this end, another suggestion is to make the forms that they fill in
identical, whether or not they are late.  You could do this by putting
the fingerprints at the end of the primary document and just printing
out the first bit for latecomers.  This might save some "I don't know
how your form works, I have the prearranged one" on the day.

It's late here now, but I'll try to have a look over the weekend to see
if there are any missed opportunities for automation.

Thanks,
Lachlan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 08/12/16 14:14, Stephan Beck wrote:
> Just some meditations:
> 
> So, the late attendees can see and hear that the ordinary participants 
> confirm the checksum and that their fingerprints check out?

Yes, the late attendees definitely need to be there at the beginning of the
party, verifying that the SHA256 checksum printed at the top of their scrubbed
list is the one being read aloud and hearing everybody confirm their fingerprint
is correct.

> One that was on the list and didn't show up would not get the required marks
> on () fpr () id ?

Correct, I actually cross out the full entry with my pen, but it would suffice
not to put a check mark on Fingerprint. A check mark on ID is totally out of the
question, that check mark indicates you have verified their identity!

> Would that person be (as uid-serial number, 001, 002, 003...) on the
> attendee's fingerprint-less list? But that person definitely would not end up
> as a person being included in the final list?

The list is *immutable*. It is finished before the event even starts, and has a
known SHA256 checksum.

People are not added to or removed from the list.

Late participants get the original list as it was sent to the early registrants,
with the precise, known SHA256 list.

After someone has verified they at least received the correct list
electronically, they're free to change whatever they like on the list for
themselves, *but not to send on to others*. It is vitally important that wat is
sent to people is the original list with the correct SHA256 checksum. And if
somebody is unable to get a list with the correct SHA256 checksum, they have
wasted their time with verifying the people on the list. But this would be an
odd situation: nobody is able to send them an unmodified file? I'd worry about
my computer and my internet connection then, not the time lost during the
keysigning.

> Then, by checking serial numbers, as you say, it's ok :-)

Checking serial numbers <-> UID mappings is /purely/ to catch out dishonesty on
the part of the person who printed the scrubbed lists for the late attendees. It
is not to account for changes in who was present and stuff like that.

Of course I'll provide the lists, so I for myself know they will be okay.
However, the other people would just have my word for it, and that is wholly
insufficient.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Stephan Beck]

Peter Lebbing:
> Stephan and Lachlan, thank you for thinking about this! I need to make a
> decision soon, I really need feedback!
> 
> On 07/12/16 22:44, Stephan Beck wrote:
>> Doesn't your proposal imply that late attendees could
>> make their way through all the keysigning without fingerprint
>> verification? Or do I miss something?
> 
> The normal attendees also don't do any fingerprint verification *at the 
> party*.
> At home, before the party, they checked their own fingerprint, and generated 
> the
> SHA256 checksum for the file they got. At the party, everybody together checks
> the SHA256 checksum by simply reading aloud each and every digit.

Yes, Peter, but they are the "ordinary" participants who went through
the preparation, and then state (at the event) that the checksum is
{checksum} and that the corresponding fingerprint on the list is theirs
and that it is correct ("check out"). The others (late attendees) just
hand out their keyslip (keyslip is just an "unverified statement"),
receive the keyslip from the other, together with the fingerprint-less
list they have, and postpone the verification to the moment when they
are at home and have been sent the list from the organizer. By that
time, the other ("Sassaman's Efficient ordinary participants") can
already be sure of the integrity/authenticity of the messages of their
communication partners and that partner's true identity.

Just some meditations:

So, the late attendees can see and hear that the ordinary participants
confirm the checksum and that their fingerprints check out?
One that was on the list and didn't show up would not get the required
marks on () fpr () id ? Would that person be (as uid-serial number, 001,
002, 003...) on the attendee's fingerprint-less list? But that person
definitely would not end up as a person being included in the final
list? That might produce inconsistencies in numbering. So the final list
just would not include some serial numbers that once were on the
"initial" list or the fingerprint-less list? Then, by checking serial
numbers, as you say, it's ok :-)

Cheers

Stephan


0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Stephan Beck]

Hi,

Lachlan Gunn:
> Le 2016-12-08 à 08:14, Stephan Beck a écrit :
>> Doesn't your proposal imply that late attendees could
>> make their way through all the keysigning without fingerprint
>> verification? Or do I miss something?
> 
> If I understand correctly, the late attendees still get a copy of the
> fingerprints after the fact, they just don't have it on their sheet of
> paper.  The fingerprint-less piece of paper just lets them keep a record
> of who they have verified, and gives them a hash of the list that does
> have the fingerprints, which they can compare with the people who were
> ready beforehand (to make sure that the fingerprints have been verified
> by the identity holders).

yes, they still get the original file from the organizer afterwards,
that's true.

caff automatically checks the fingerprint on import (before mailing out
each of the signed keys/UID), so there's no way of tampering. If they
hadn't those fingerprints (or the original file/list), caff would not
let them go on.

Quote from README.many-keys

$ caff   
> I've actually thought of doing an electronic keyslip program for mobile
> phones/tablets that would let you build the list electronically using QR
> codes or NFC, or maybe doing it via the hash-on-the-projector method for
> maximum speed.  Then you could just download the file to your signing
> machine and let CAFF do its thing.
> 
> Would this interest anyone?  Does the idea have flaws that I'm blind to?

Yes, to your first question. How you would do that via the
hash-on-the-projector method, is not clear to me, though. Would that be
for generating the (initial) list of the organizers as in Sassaman
Efficient (as an additional service for people using cell phones or
tablets)? Or wouldn't there be any paper copy at the event?
Sorry, for questions that might seem obvious to you.

Thanks

Stephan


0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

Stephan and Lachlan, thank you for thinking about this! I need to make a
decision soon, I really need feedback!

On 07/12/16 22:44, Stephan Beck wrote:
> Doesn't your proposal imply that late attendees could
> make their way through all the keysigning without fingerprint
> verification? Or do I miss something?

The normal attendees also don't do any fingerprint verification *at the party*.
At home, before the party, they checked their own fingerprint, and generated the
SHA256 checksum for the file they got. At the party, everybody together checks
the SHA256 checksum by simply reading aloud each and every digit.

> Thank you in any case for your detailed information, that encouraged me
> to install the keysigning package and have a look into it. It seems to
> be a great tool for organizing a key-signing event!

It is :-)

I wouldn't say my information is detailed actually, I could write a *lot* more
about proper procedure. But I hoped I didn't have to, instead just focussing on
what I wanted to do *differently* from usual.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Recording keysigning attendants on phone (was: Hybrid keysigning party, your opinion?)

[Peter Lebbing]

On 08/12/16 07:29, Lachlan Gunn wrote:
> If I understand correctly, the late attendees still get a copy of the
> fingerprints after the fact, they just don't have it on their sheet of
> paper.  The fingerprint-less piece of paper just lets them keep a record
> of who they have verified, and gives them a hash of the list that does
> have the fingerprints, which they can compare with the people who were
> ready beforehand (to make sure that the fingerprints have been verified
> by the identity holders).

Yes, that is spot on what I had in mind. What do you think?

> Does the idea have flaws that I'm blind to?

I can't say as to your perception, but all these "verify at the party, sign
after the party" share the problem that the list could be modified in the time
between verifying and signing.

Somebody could picpocket your list, add checkmarks with the same type of pen you
used, and then sneak it back into your possession. That's a physical act that
requires an intimate level of proximity.

A phone or tablet is a wirelessly connected device that could be hacked from a
distance, and it could be done even before the keysigning.

I'd say the latter is in principle more vulnerable; but it depends on your
threat model. If, for instance, you've already concluded that you want to have
your primary key on the same phone or tablet, it doesn't matter anymore if you
then also keep this party list on there.

For the sake of my sanity and the fact that I'll need to make the decision about
the 33C3 keysigning soon, let's please not mingle these subthreads. If you reply
to my "What do you think?", I'd suggest re-instating the previous Subject:-line 
:-).

Thank you!

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2016-12-08 à 08:14, Stephan Beck a écrit :
> Doesn't your proposal imply that late attendees could
> make their way through all the keysigning without fingerprint
> verification? Or do I miss something?

If I understand correctly, the late attendees still get a copy of the
fingerprints after the fact, they just don't have it on their sheet of
paper.  The fingerprint-less piece of paper just lets them keep a record
of who they have verified, and gives them a hash of the list that does
have the fingerprints, which they can compare with the people who were
ready beforehand (to make sure that the fingerprints have been verified
by the identity holders).

I've actually thought of doing an electronic keyslip program for mobile
phones/tablets that would let you build the list electronically using QR
codes or NFC, or maybe doing it via the hash-on-the-projector method for
maximum speed.  Then you could just download the file to your signing
machine and let CAFF do its thing.

Would this interest anyone?  Does the idea have flaws that I'm blind to?

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Stephan Beck]

Peter Lebbing:
> Hi all,
> 
> In just a few weeks, the 33C3 will be held in Hamburg, the 33th Chaos
> Communication Congress organized by the Chaos Computer Club. I intend to
> organize a keysigning party, just because they are fun.
> 
> I am asking for your thoughts on a variant of the organization of the
> keysigning party. 

...
Doesn't your proposal imply that late attendees could
make their way through all the keysigning without fingerprint
verification? Or do I miss something?

Cheers

Stephan


Thank you in any case for your detailed information, that encouraged me
to install the keysigning package and have a look into it. It seems to
be a great tool for organizing a key-signing event!




0x4218732B.asc
Description: application/pgp-keys


0x4218732B.asc
Description: application/pgp-keys


0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hybrid keysigning party, your opinion?

[Peter Lebbing]

Hi all,

In just a few weeks, the 33C3 will be held in Hamburg, the 33th Chaos
Communication Congress organized by the Chaos Computer Club. I intend to
organize a keysigning party, just because they are fun.

I am asking for your thoughts on a variant of the organization of the
keysigning party. I'll explain my reasoning and intentions, and I would
like to know if you think I forgot to think of something important. Is
there a way a malicious party could get people to sign the wrong UID,
because I didn't think of that way? I'm not interested in ways people
could cheat at the usual "informal" keysigning party model, with
exchanging paper keyslips. This is because this would be my fallback
model, if the proposed model doesn't work out. So I'm only interested in
cases where the proposed model introduces extra issues compared to the
informal exchanging keyslips model.

There are several methods to do a keysigning party. One of them is the
"Sassaman efficient" version. It requires preparation, and this
preparation must be done in time that everybody can print out their copy
of the list. With a congress spanning several days, this means the
preparation should probably be done before the congress, since in
general you shouldn't print your list on a printer you don't completely
trust, and most people don't bring a printer (I did! :).

Now Sassaman efficient has a very big issue. There will always be people
who also wish to attend the keysigning party who did not participate in
the preparations. As far as I can see, these people could just
participate as equals with printed out keyslips to hand out to the other
people. However, I've seen multiple times that these late guests were
treated as second-class participants. I've actually seen them delegated
to the corridor outside the room where the party was held, told to wait
until the others were done! I never got a chance to exchange
fingerprints with these people because of course they left a long time
before the party inside was done. I can't imagine this was a very
pleasant experience for them.

The common denominator of the Sassaman efficient and the informal method
is that you form a line of people that folds in on itself. Now, as I see
it, you can just form a line beginning with the people on the list and
ending with the people who joined late.[1] With the people on the list,
you only check ID's and place a checkmark on your list when satisfied.
Once you get to the part with the late attendants[2], you instead
exchange key slips. I don't see why the people who are not on the list
should not be allowed to be in the same line, yet it is what I've seen
happening.

Anyway, so, Sassaman efficient has a major problem. It also has
advantages. At the bottom line, there is only one advantage I find relevant.

With Sassaman efficient, you actually only have to check one SHA256 hash
and your own fingerprint.

No matter how many attendees, you don't have to check anyone else's
fingerprint manually. Just the two!

This is because you have a SHA256-protected list of fingerprints already
in digital form; no need to compare to printed out digits on paper. All
attendees who participated in the preparation have gotten a text file
which contains all fingerprints of the participants, and they print out
this list as well as compute its checksum. Additionally, they check that
their *own* fingerprint in this list is correct. At the event, the
SHA256 checksum of the text file is read aloud and everybody compares it
to the checksum on their piece of paper. Next, each participant on the
list is asked in turn whether their fingerprint checked out.[3]

After the event, you'll go home and sign keys, using the verified text
file that has the correct SHA256 checksum. Now when you use CA - Fire
and Forget, caff, all you have to check are the UID's you are signing.
The SHA256 checksum has already ascertained that the fingerprints in the
text file are correct; anyone altering a fingerprint will necessarily
alter the checksum of the file. And caff checks the fingerprint for you
from the known-correct file! As long as all participants verified that
their own fingerprint is correct in the file with the correct SHA256
hash, all fingerprints have been verified already.

It will still be *very* important to verify the UID's manually. What if
the official list had a key with fingerprint X and UID
, but once you download the key with fingerprint X,
there's instead an UID ? You need to check that you
only sign UID's carrying Alice's name that you verified from her
passport or similar thing.

I quite like it that I don't have to verify dozens of fingerprints
manually; I'd like to keep the list if possible. So can we improve on
the party where there is a line of both people on the list and people
with keyslips? I think we can.

I think ideally, the participants who only joined after the preparations
should also be able to use the list for the people that are on it,