Re: Keysigning party: after the event challenges

[Ben McGinnes]

On Sun, Feb 10, 2019 at 03:36:05PM +0100, André Ockers wrote:
> Hi Peter,
> 
> Thank you very much.
> 
> 
> Op 09-02-19 om 12:48 schreef Peter Lebbing:
> > Hello André,
> >
> > On 09/02/2019 09:06, André Ockers wrote:
> >> - 171 official keysigning party participants, of who 107 showed up to my
> >> awareness;
> > This is going to be a pain to do manually. But you don't have to! As the
> > FOSDEM keysigning party page[1] notes, "You may find caff a helpful tool."
> > (last sentence of the page, not counting the footer).
> >
> > If you open your ksp-fosdem2019.txt file and put "x" in every checkbox
> > you have checked on your paper list, you can feed this text file with
> > checkmarks directly to caff and it will import the keys for you *and*
> > verify their fingerprints! It will only consider entries with checkmarks
> > for both "Fingerprint OK" and "ID OK", so only when the participant has
> > acknowledged their fingerprint matches and you have marked that you find
> > their identification papers match.
> 
> Done.
> 
> > The FOSDEM KSP offers a keyring with all the keys from the party. You
> > can feed that to caff as well and it won't even need to fetch the keys
> > from a keyserver (which might not have all keys).
> >
> > My suggestion is to look for "caff" and documentation and try that
> > before you verify 107 fingerprints manually :-). If you still hit
> > problems, report back here and we can take a further look.
> 
> Following documentation [1], I checked that I have Postfix installed and
> now I'm here [2]
> 
> $ sudo postconf -e 'relayhost = smtp.provider.nl'
> [sudo] wachtwoord voor andre:
> postconf: fatal: open /etc/postfix/main.cf for reading: No such file or
> directory

Make sure that the postconf in your $PATH matches where the Postfix
config directory really is.  Depending on which distro you're actually
using, it might be somewhere like /usr/local/etc/postfix/ or something
similar.

If locate's db is up to date then there's a good chance that running
"locate main.cf" will answer this for you (or confirm you really don't
have a Postfix config file; but if that were true then you'd have much
bigger problems with launching Postfix).

Anyway, assuming postconf is not loading the right file, but the
config file exists, then you can just edit the main.cf file directly
((possibly via sudoedit) to add your relayhost config line.  Then
follow it with:

$ sudo postfix reload


Regards,
Ben



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning party: after the event challenges

[André Ockers]

Hi Peter,

Thank you very much.


Op 09-02-19 om 12:48 schreef Peter Lebbing:
> Hello André,
>
> On 09/02/2019 09:06, André Ockers wrote:
>> - 171 official keysigning party participants, of who 107 showed up to my
>> awareness;
> This is going to be a pain to do manually. But you don't have to! As the
> FOSDEM keysigning party page[1] notes, "You may find caff a helpful tool."
> (last sentence of the page, not counting the footer).
>
> If you open your ksp-fosdem2019.txt file and put "x" in every checkbox
> you have checked on your paper list, you can feed this text file with
> checkmarks directly to caff and it will import the keys for you *and*
> verify their fingerprints! It will only consider entries with checkmarks
> for both "Fingerprint OK" and "ID OK", so only when the participant has
> acknowledged their fingerprint matches and you have marked that you find
> their identification papers match.

Done.

> The FOSDEM KSP offers a keyring with all the keys from the party. You
> can feed that to caff as well and it won't even need to fetch the keys
> from a keyserver (which might not have all keys).
>
> My suggestion is to look for "caff" and documentation and try that
> before you verify 107 fingerprints manually :-). If you still hit
> problems, report back here and we can take a further look.

Following documentation [1], I checked that I have Postfix installed and
now I'm here [2]

$ sudo postconf -e 'relayhost = smtp.provider.nl'
[sudo] wachtwoord voor andre:
postconf: fatal: open /etc/postfix/main.cf for reading: No such file or
directory

Best regards,

André Ockers

[1] https://wiki.debian.org/caff
[2] https://www.howtoforge.com/postfix_relaying_through_another_mailserver



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning party: after the event challenges

[Peter Lebbing]

Hello André,

On 09/02/2019 09:06, André Ockers wrote:
> - 171 official keysigning party participants, of who 107 showed up to my
> awareness;

This is going to be a pain to do manually. But you don't have to! As the
FOSDEM keysigning party page[1] notes, "You may find caff a helpful tool."
(last sentence of the page, not counting the footer).

If you open your ksp-fosdem2019.txt file and put "x" in every checkbox
you have checked on your paper list, you can feed this text file with
checkmarks directly to caff and it will import the keys for you *and*
verify their fingerprints! It will only consider entries with checkmarks
for both "Fingerprint OK" and "ID OK", so only when the participant has
acknowledged their fingerprint matches and you have marked that you find
their identification papers match.

The FOSDEM KSP offers a keyring with all the keys from the party. You
can feed that to caff as well and it won't even need to fetch the keys
from a keyserver (which might not have all keys).

My suggestion is to look for "caff" and documentation and try that
before you verify 107 fingerprints manually :-). If you still hit
problems, report back here and we can take a further look.

> - 5 participants have a key on the keyserver in a for Enigmail
> downloadable state;

That sounds odd, there might be something malfunctioning. But if you use
caff, you don't need Enigmail. And if you use the supplied keyring from
the party, you don't need to use a keyserver at all.

HTH,

Peter.

[1] https://fosdem.org/2019/keysigning/

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning party: after the event challenges

[Teemu Likonen]

André Ockers [2019-02-09 09:06:43+01] wrote:

> $ gpg --fingerprint <599C62A291810408>
> bash: syntax error near unexpected symbol 'newline'

Your Bash shell uses characters "<" and ">" for input and output
redirection. Remove those characters:

gpg --fingerprint 599C62A291810408

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keysigning party: after the event challenges

[André Ockers]

Dear GnuPG users,


I went to the FOSDEM keysigning party [1] and now I'm in trouble.

The situation is:

- GNU/Linux Trisquel + Icedove (= Thunderbird rebranded) + Enigmail here
at home;

- 171 official keysigning party participants, of who 107 showed up to my
awareness;

- 5 participants have a key on the keyserver in a for Enigmail
downloadable state;

- when I want to check [2] a fingerprint of a downloaded Key ID I get an
error message, for example

$ gpg --fingerprint <599C62A291810408>
bash: syntax error near unexpected symbol 'newline'

Please help! Thank you very much,

Best regards,

André Ockers

[1] https://fosdem.org/2019/keysigning/

[2]
http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#after_keysigning_party





___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cryptnet.net (which hosts "GnuPG Keysigning Party HOWTO") down?

[Ingo Klöcker]

On Mittwoch, 1. November 2017 10:52:43 CET Johan Ho wrote:
> I tried to look up the "keysigning party howto" on the GnuPG website
> (https://gnupg.org/documentation/howtos.html), but apparently
> www.cryptnet.net is down (ERR_CONNECTION_REFUSED) so most of the
> language links there don't work.
> 
> I tried a few days ago and today, but it still doesn't work.

Luckily, there's archive.org and it has archived the howto:
https://web.archive.org/web/*/www.cryptnet.net/fdp/crypto/keysigning_party/en/
keysigning_party.html


Regards,
Ingo


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

cryptnet.net (which hosts "GnuPG Keysigning Party HOWTO") down?

[Johan Ho]

I tried to look up the "keysigning party howto" on the GnuPG website 
(https://gnupg.org/documentation/howtos.html), but apparently 
www.cryptnet.net is down (ERR_CONNECTION_REFUSED) so most of the 
language links there don't work.


I tried a few days ago and today, but it still doesn't work.

Anyone know the status of that server and whether it might get fixed?

Johan Ho

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Nils Vogels]

Hey Peter, and list!

Peter Lebbing schreef op 2017-02-20 17:58:

On 19/02/17 21:16, Nils Vogels wrote:
I'll read up on this thread from the archives, but I'm exploring 
possibilities
to enhance the FOSDEM format with the use of QR for on-the-spot 
signing for
those who want to and don't mind having signatures submitted by 
signers to

keyservers.


Thank you for organizing a party! I'm definitely up for assisting with 
the

organization.



The keysigning party has been scheduled for monday 7/8/17, and I'm 
drafting the wiki pages with instructions as we speak, using a slightly 
modernized Sassaman-Efficient protocol, and see where we go from there.


Feel free to check out https://program.sha2017.org/events/245.html and 
https://wiki.sha2017.org/w/Keysigning-Party, and offcourse, join in! :)


Regards,
Nils

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 19/02/17 21:16, Nils Vogels wrote:
> I'll read up on this thread from the archives, but I'm exploring possibilities
> to enhance the FOSDEM format with the use of QR for on-the-spot signing for
> those who want to and don't mind having signatures submitted by signers to
> keyservers.

Thank you for organizing a party! I'm definitely up for assisting with the
organization.

I'd first have to look up on the FOSDEM format. The QR codes are indeed a nice
addition, however, it is inherently restricted to just a part of the attendees.
I don't trust my phone with my certifications, and holding a laptop with webcam
is really awkward and I might even drop it.

Normally I'd leave my certification-capable smartcard at home as well.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Nils Vogels]

Hey Peter, 

I've submitted a keysigning party at sha2017 earlier,  so we should have a slot 
to try something out.

I'll read up on this thread from the archives,  but I'm exploring possibilities 
to enhance the FOSDEM format with the use of QR for on-the-spot signing for 
those who want to and don't mind having signatures submitted by signers to 
keyservers. 


On 18 February 2017 16:15:04 CET, Peter Lebbing  wrote:
>Hello Lachlan,
>
>
>On 15/02/17 14:32, Lachlan Gunn wrote:
>> Given the discussion on the list before, now that CCC has come and
>gone
>> I'm curious as to how well this worked.
>
>It failed on a trivial point: by the Friday before the congress, I had
>only
>received four signups. A list with five keys is a poor list indeed. I
>switched
>the model to the classic "bring keyslips" model.
>
>> Is it an innovation worth
>> perpetuating?
>
>I think it would work. I'd like to try again.
>
>In fact, given that we don't need to place trust in the paper copies, I
>think it
>would actually work if I kept sign-up open until just before the party,
>and
>printed a stack of "scrubbed" lists myself to hand out. However, it was
>my
>feeling that some people would not feel comfortable with this
>brand-spanking-new
>"no need to trust me, really! Have my stuff" type of lists, so I didn't
>do that.
>I intended to cater to the untrusting crowd by giving them enough time
>to print
>their own lists and do it the in the usual Sassaman Efficient way.
>
>Given that this would have, on the flip side, catered to the handful of
>people
>who showed up without keyslips, perhaps it would still be a fair
>tradeoff for
>limiting the untrusting people in their possibilities.
>
>You could receive sign-ups by e-mail until the latest moment, and you
>would
>print the untrusted lists so anybody who didn't bring any keyslips
>could still
>be on that list by signing up.
>
>Note that there is no value judgement in how I use "untrusting" here,
>it's just
>a way to sum up a group of people in a single adjective.
>
>Next opportunity for a keysigning party for me will be SHA 2017,
>starting the
>4th of August in Zeewolde, The Netherlands[1].
>O Come, All Ye Hackful! Adeste Fiddle-es[2]!
>
>Cheers,
>
>Peter.
>
>[1] <https://sha2017.org/>
>[2] Fiddle-es: those who tinker.
>
>-- 
>I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
>You can send me encrypted mail if you want some privacy.
>My key is available at
><http://digitalbrains.com/2012/openpgp-key-peter>

-- 
Sent from my mobile device. Please excuse my brevity.___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2017-02-19 à 01:45, Peter Lebbing a écrit :
> It failed on a trivial point: by the Friday before the congress, I had only
> received four signups. A list with five keys is a poor list indeed. I switched
> the model to the classic "bring keyslips" model.

Ah, fair enough.  That's a bit unfortunate, but thanks for the report!

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Philip Jackson]

On 18/02/17 16:15, Peter Lebbing wrote:
> O Come, All Ye Hackful! Adeste Fiddle-es[2]!
Yea !

Philip



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

Hello Lachlan,


On 15/02/17 14:32, Lachlan Gunn wrote:
> Given the discussion on the list before, now that CCC has come and gone
> I'm curious as to how well this worked.

It failed on a trivial point: by the Friday before the congress, I had only
received four signups. A list with five keys is a poor list indeed. I switched
the model to the classic "bring keyslips" model.

> Is it an innovation worth
> perpetuating?

I think it would work. I'd like to try again.

In fact, given that we don't need to place trust in the paper copies, I think it
would actually work if I kept sign-up open until just before the party, and
printed a stack of "scrubbed" lists myself to hand out. However, it was my
feeling that some people would not feel comfortable with this brand-spanking-new
"no need to trust me, really! Have my stuff" type of lists, so I didn't do that.
I intended to cater to the untrusting crowd by giving them enough time to print
their own lists and do it the in the usual Sassaman Efficient way.

Given that this would have, on the flip side, catered to the handful of people
who showed up without keyslips, perhaps it would still be a fair tradeoff for
limiting the untrusting people in their possibilities.

You could receive sign-ups by e-mail until the latest moment, and you would
print the untrusted lists so anybody who didn't bring any keyslips could still
be on that list by signing up.

Note that there is no value judgement in how I use "untrusting" here, it's just
a way to sum up a group of people in a single adjective.

Next opportunity for a keysigning party for me will be SHA 2017, starting the
4th of August in Zeewolde, The Netherlands[1].
O Come, All Ye Hackful! Adeste Fiddle-es[2]!

Cheers,

Peter.

[1] <https://sha2017.org/>
[2] Fiddle-es: those who tinker.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Hello,

Le 2016-12-05 à 00:03, Peter Lebbing a écrit :
> I am asking for your thoughts on a variant of the organization of the
> keysigning party. I'll explain my reasoning and intentions, and I would
> like to know if you think I forgot to think of something important. Is
> there a way a malicious party could get people to sign the wrong UID,
> because I didn't think of that way? I'm not interested in ways people
> could cheat at the usual "informal" keysigning party model, with
> exchanging paper keyslips. This is because this would be my fallback
> model, if the proposed model doesn't work out. So I'm only interested in
> cases where the proposed model introduces extra issues compared to the
> informal exchanging keyslips model.


Given the discussion on the list before, now that CCC has come and gone
I'm curious as to how well this worked.  Is it an innovation worth
perpetuating?

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2016-12-14 à 04:34, Peter Lebbing a écrit :
> Oh, not at all, I hadn't even noticed one could see it that way.

My bad; such is the life of the email-user.

> Or hang a truly huge printout on the wall and at the start of the
> session, together observe that it is correct. Any latecomers can be told
> "look, everybody thinks it's completely normal that we have a 64 digit
> hex code on the wall, and that's because we all agreed it's the right one".

Yes, with paper that would work.  I rejected it because I was imagining
a projector, which obviously could change the hash halfway through.

Thanks,
Lachlan




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 12/12/16 06:27, Lachlan Gunn wrote:
> My apologies if I came across as overly harsh.

Oh, not at all, I hadn't even noticed one could see it that way.

. What I meant was that it
> took me a little bit of time to work out exactly what you meant, so
> someone unfamilar with the web of trust will probably not follow
> exactly;

This was a mail to a crypto-mailing list asking cryppies for advice on
how to cripple... er... subvert a certain setup. Totally different audience!

> One last thought: This may be naïvely optimistic, but if everyone
> finishes at the same time then you can always do a second confirmation
> of the list-hash at the end for people who are late to the session.

Hmm, interesting idea. Could be possible.

>  Or
> if you're into arts and crafts, give them a copy of the master hash on
> overhead transparency that they can use to very quickly check against
> someone else's.

Or hang a truly huge printout on the wall and at the start of the
session, together observe that it is correct. Any latecomers can be told
"look, everybody thinks it's completely normal that we have a 64 digit
hex code on the wall, and that's because we all agreed it's the right one".

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 12/12/16 07:02, Lachlan Gunn wrote:
> Also, while I promised to forever hold my peace, you might want to give
> people a a programmatic way to make the scrubbed list so that those who
> print their own don't need to manually verify it.

If they want to have a known good copy, they can just print the detailed
list!

They then also have the opportunity to have gpgsigs annotate it with the
signatures they already did at an earlier keysigning party, saving them
the trouble of re-identifying someone for nothing. (Note that not all
people consider this "for nothing", some actually like to have a new
signature).

> The //d (rather
> than s///) is important because unless it makes the list shorter, there
> isn't any incentive to go to the trouble :)

I chose to replace them by empty lines so the lists still line up if you
choose the screen font to be a similar size as the printed font. I will
be literally holding my paper list next to my monitor, it's useful if
they line up and all information that is the same looks exactly the
same. You spot errors much quicker that way.

Thanks for your thoughts,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Recording keysigning attendants on phone

[Stephan Beck]

Lachlan Gunn:
> Le 2016-12-08 à 22:30, Stephan Beck a écrit :
>> Yes, to your first question. How you would do that via the
>> hash-on-the-projector method, is not clear to me, though. Would that be
>> for generating the (initial) list of the organizers as in Sassaman
>> Efficient (as an additional service for people using cell phones or
>> tablets)? Or wouldn't there be any paper copy at the event?
>> Sorry, for questions that might seem obvious to you.
> 
> Yes, sorry.  There wouldn't be any paper copy, which might be a problem,
> unless you have a printer available to produce printed copies on demand
> which can be checked later.
> 
> The idea is to allow people to add themselves to the list right up until
> the last minute, then someone cuts the ribbon, the system emails it to
> everyone and displays it on the projector, and they all follow either
> the standard Sassaman method or Peter's hybrid one.

Thanks for the explanation, Lachlan. Ok, I see, preparations (required
in the Sassaman Efficient keysigning event model), in your scheme, are
done electronically right before the event starts, are they?
Well, that may be fine for many people.
Don't ask me why, but, personally, I'd always prefer an additional paper
copy as a security measure.

Cheers

Stephan






signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2016-12-12 à 03:45, Peter Lebbing a écrit :
> My e-mail was 1424 words though, so I am afraid I ended up in your
> wishful thinking area.
> 
> The remaining 1607 words are in the sections "Background" and "Option
> for advanced users", and those words happen to include the name Lachlan.
> Go check it out! ;-P

My apologies if I came across as overly harsh.  What I meant was that it
took me a little bit of time to work out exactly what you meant, so
someone unfamilar with the web of trust will probably not follow
exactly; it may just have been that I went through your email too late
at night. Something along the lines of the following might make it more
clear to everyone who is familiar with the hashed-list approach:

Those who are in the advance list are certified in the usual way,
and latecomers hand out keyslips in order to get themselves
certified.

If you are late you need to check when you get home
that the names and serial numbers on the form that we gave
out match those on the one whose hash is on the projector.

But this is just me nitpicking about presentation.  I think the idea is
good, and falls into that wonderful category of things that are obvious
in retrospect, but in need of someone clever to make the breakthrough
without the benefit of hindsight.

One last thought: This may be naïvely optimistic, but if everyone
finishes at the same time then you can always do a second confirmation
of the list-hash at the end for people who are late to the session.  Or
if you're into arts and crafts, give them a copy of the master hash on
overhead transparency that they can use to very quickly check against
someone else's.

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2016-12-12 à 03:45, Peter Lebbing a écrit :
> I really like this suggestion! I had to think about it for a while
> before I could see a way to make it work. The trouble is that I want
> caff to be able to process the file, and for that I need to keep it
> having much of the same patterns. I ended up not significantly altering
> the two files compared to what I proposed, but instead suggesting
> everybody should use the scrubbed version. That way, the instructions
> are the same for all participants.

Also, while I promised to forever hold my peace, you might want to give
people a a programmatic way to make the scrubbed list so that those who
print their own don't need to manually verify it.  This might add too
much complexity, so I don't know whether it is worthwhile.

Something like

sed -re '/^(pub|\s+Key fingerprint).*$/d' scrubbed.txt

is easy enough to verify by eye as not being a trick.  The //d (rather
than s///) is important because unless it makes the list shorter, there
isn't any incentive to go to the trouble :)

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Recording keysigning attendants on phone (was: Hybrid keysigning party, your opinion?)

[Lachlan Gunn]

Le 2016-12-08 à 22:30, Stephan Beck a écrit :
> Yes, to your first question. How you would do that via the
> hash-on-the-projector method, is not clear to me, though. Would that be
> for generating the (initial) list of the organizers as in Sassaman
> Efficient (as an additional service for people using cell phones or
> tablets)? Or wouldn't there be any paper copy at the event?
> Sorry, for questions that might seem obvious to you.

Yes, sorry.  There wouldn't be any paper copy, which might be a problem,
unless you have a printer available to produce printed copies on demand
which can be checked later.

The idea is to allow people to add themselves to the list right up until
the last minute, then someone cuts the ribbon, the system emails it to
everyone and displays it on the projector, and they all follow either
the standard Sassaman method or Peter's hybrid one.

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

(OT) Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 11/12/16 21:37, Robert J. Hansen wrote:
> Peter's correction was made in a spirit of utterly pedantic attention
> to detail [a spirit I share!]

Hah! Guilty as charged :-).

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Robert J. Hansen]

> Or you might not because it was based on a stupid thinking error on my
> side. Let's make it "a chance of 1 in 2^128", which could be the chance
> of you trying a symmetric encryption key and actually being right about it.

I'm glad you made the correction: that error was so profound.  :)


(For those not up on their large-number theory: the difference is
insignificant.  Peter's correction was made in a spirit of utterly
pedantic attention to detail [a spirit I share!], not because it mattered.)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 11/12/16 18:22, Peter Lebbing wrote:
> You might recognise the chosen quantity :-).

Or you might not because it was based on a stupid thinking error on my
side. Let's make it "a chance of 1 in 2^128", which could be the chance
of you trying a symmetric encryption key and actually being right about it.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 08/12/16 15:08, Lachlan Gunn wrote:
> Can't they get this from the other participants in the line?  Checking
> with a few people at random gives reasonable assurance that this is what
> was agreed on at the beginning, or they can check them all if they want
> to be certain.

Personally, I find checking a few other participants to be too weak an
assurance. I don't believe in security by numbers. If I'm dealing with
statistics, I want them to be on the order of "chance of one in 2^127".
You might recognise the chosen quantity :-). But everybody is free to
decide their own policy.

And checking at everyone would hold up the process; it's 64 hex digits
to verify!

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 08/12/16 14:51, Lachlan Gunn wrote:
> Personally I am of the mind that anything longer than that email is
> wishful thinking, you have to get people to actually follow it.

The e-mail wasn't meant to be the text for participants. I've spent all
afternoon writing a text at the 33C3 wiki[1], but only part of it is
meant to be read by everyone, or essentially, everyone who wants to know
more than the most basic. It's 1764 words. I've tried to restrict it to
the important things, and I feel that cutting it further down would lose
important information. I don't think it's necessary for everyone to read
the whole section, though.

My e-mail was 1424 words though, so I am afraid I ended up in your
wishful thinking area.

The remaining 1607 words are in the sections "Background" and "Option
for advanced users", and those words happen to include the name Lachlan.
Go check it out! ;-P

> To this end, another suggestion is to make the forms that they fill in
> identical, whether or not they are late.  You could do this by putting
> the fingerprints at the end of the primary document and just printing
> out the first bit for latecomers.  This might save some "I don't know
> how your form works, I have the prearranged one" on the day.

I really like this suggestion! I had to think about it for a while
before I could see a way to make it work. The trouble is that I want
caff to be able to process the file, and for that I need to keep it
having much of the same patterns. I ended up not significantly altering
the two files compared to what I proposed, but instead suggesting
everybody should use the scrubbed version. That way, the instructions
are the same for all participants.

Thank you,

Peter.

[1] https://events.ccc.de/congress/2016/wiki/Session:Keysigning_party

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Stephan Beck]

Peter Lebbing:
> On 08/12/16 14:14, Stephan Beck wrote:
>> Just some meditations:
>>
>> So, the late attendees can see and hear that the ordinary participants 
>> confirm the checksum and that their fingerprints check out?
> 
> Yes, the late attendees definitely need to be there at the beginning of the
> party, verifying that the SHA256 checksum printed at the top of their scrubbed
> list is the one being read aloud and hearing everybody confirm their 
> fingerprint
> is correct.
[...]

Thanks, Peter. No more open questions!
As with everything, I think I'd have to set up such an event and go
through its practical application (or participate in one) to become more
expert. Let me see if there are any in my region.

Stephan


0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2016-12-09 à 00:25, Peter Lebbing a écrit :
> Yes, the late attendees definitely need to be there at the beginning of the
> party, verifying that the SHA256 checksum printed at the top of their scrubbed
> list is the one being read aloud and hearing everybody confirm their 
> fingerprint
> is correct.

Can't they get this from the other participants in the line?  Checking
with a few people at random gives reasonable assurance that this is what
was agreed on at the beginning, or they can check them all if they want
to be certain.

Thanks,
Lachlan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2016-12-08 à 22:05, Peter Lebbing a écrit :
> Stephan and Lachlan, thank you for thinking about this! I need to make a
> decision soon, I really need feedback!

Not a problem, efficient keysigning is something I've been pondering for
a while, so I'm really glad to see people working in the area.

> I wouldn't say my information is detailed actually, I could write a *lot* more
> about proper procedure. But I hoped I didn't have to, instead just focussing 
> on
> what I wanted to do *differently* from usual.

Personally I am of the mind that anything longer than that email is
wishful thinking, you have to get people to actually follow it.  The
ones who need to do it are also only the ones who weren't organised in
advance, so I think keep the extra work to a minimum if you want to
maximise the useful signatures from them.

To this end, another suggestion is to make the forms that they fill in
identical, whether or not they are late.  You could do this by putting
the fingerprints at the end of the primary document and just printing
out the first bit for latecomers.  This might save some "I don't know
how your form works, I have the prearranged one" on the day.

It's late here now, but I'll try to have a look over the weekend to see
if there are any missed opportunities for automation.

Thanks,
Lachlan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 08/12/16 14:14, Stephan Beck wrote:
> Just some meditations:
> 
> So, the late attendees can see and hear that the ordinary participants 
> confirm the checksum and that their fingerprints check out?

Yes, the late attendees definitely need to be there at the beginning of the
party, verifying that the SHA256 checksum printed at the top of their scrubbed
list is the one being read aloud and hearing everybody confirm their fingerprint
is correct.

> One that was on the list and didn't show up would not get the required marks
> on () fpr () id ?

Correct, I actually cross out the full entry with my pen, but it would suffice
not to put a check mark on Fingerprint. A check mark on ID is totally out of the
question, that check mark indicates you have verified their identity!

> Would that person be (as uid-serial number, 001, 002, 003...) on the
> attendee's fingerprint-less list? But that person definitely would not end up
> as a person being included in the final list?

The list is *immutable*. It is finished before the event even starts, and has a
known SHA256 checksum.

People are not added to or removed from the list.

Late participants get the original list as it was sent to the early registrants,
with the precise, known SHA256 list.

After someone has verified they at least received the correct list
electronically, they're free to change whatever they like on the list for
themselves, *but not to send on to others*. It is vitally important that wat is
sent to people is the original list with the correct SHA256 checksum. And if
somebody is unable to get a list with the correct SHA256 checksum, they have
wasted their time with verifying the people on the list. But this would be an
odd situation: nobody is able to send them an unmodified file? I'd worry about
my computer and my internet connection then, not the time lost during the
keysigning.

> Then, by checking serial numbers, as you say, it's ok :-)

Checking serial numbers <-> UID mappings is /purely/ to catch out dishonesty on
the part of the person who printed the scrubbed lists for the late attendees. It
is not to account for changes in who was present and stuff like that.

Of course I'll provide the lists, so I for myself know they will be okay.
However, the other people would just have my word for it, and that is wholly
insufficient.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Stephan Beck]

Peter Lebbing:
> Stephan and Lachlan, thank you for thinking about this! I need to make a
> decision soon, I really need feedback!
> 
> On 07/12/16 22:44, Stephan Beck wrote:
>> Doesn't your proposal imply that late attendees could
>> make their way through all the keysigning without fingerprint
>> verification? Or do I miss something?
> 
> The normal attendees also don't do any fingerprint verification *at the 
> party*.
> At home, before the party, they checked their own fingerprint, and generated 
> the
> SHA256 checksum for the file they got. At the party, everybody together checks
> the SHA256 checksum by simply reading aloud each and every digit.

Yes, Peter, but they are the "ordinary" participants who went through
the preparation, and then state (at the event) that the checksum is
{checksum} and that the corresponding fingerprint on the list is theirs
and that it is correct ("check out"). The others (late attendees) just
hand out their keyslip (keyslip is just an "unverified statement"),
receive the keyslip from the other, together with the fingerprint-less
list they have, and postpone the verification to the moment when they
are at home and have been sent the list from the organizer. By that
time, the other ("Sassaman's Efficient ordinary participants") can
already be sure of the integrity/authenticity of the messages of their
communication partners and that partner's true identity.

Just some meditations:

So, the late attendees can see and hear that the ordinary participants
confirm the checksum and that their fingerprints check out?
One that was on the list and didn't show up would not get the required
marks on () fpr () id ? Would that person be (as uid-serial number, 001,
002, 003...) on the attendee's fingerprint-less list? But that person
definitely would not end up as a person being included in the final
list? That might produce inconsistencies in numbering. So the final list
just would not include some serial numbers that once were on the
"initial" list or the fingerprint-less list? Then, by checking serial
numbers, as you say, it's ok :-)

Cheers

Stephan


0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Stephan Beck]

Hi,

Lachlan Gunn:
> Le 2016-12-08 à 08:14, Stephan Beck a écrit :
>> Doesn't your proposal imply that late attendees could
>> make their way through all the keysigning without fingerprint
>> verification? Or do I miss something?
> 
> If I understand correctly, the late attendees still get a copy of the
> fingerprints after the fact, they just don't have it on their sheet of
> paper.  The fingerprint-less piece of paper just lets them keep a record
> of who they have verified, and gives them a hash of the list that does
> have the fingerprints, which they can compare with the people who were
> ready beforehand (to make sure that the fingerprints have been verified
> by the identity holders).

yes, they still get the original file from the organizer afterwards,
that's true.

caff automatically checks the fingerprint on import (before mailing out
each of the signed keys/UID), so there's no way of tampering. If they
hadn't those fingerprints (or the original file/list), caff would not
let them go on.

Quote from README.many-keys

$ caff   
> I've actually thought of doing an electronic keyslip program for mobile
> phones/tablets that would let you build the list electronically using QR
> codes or NFC, or maybe doing it via the hash-on-the-projector method for
> maximum speed.  Then you could just download the file to your signing
> machine and let CAFF do its thing.
> 
> Would this interest anyone?  Does the idea have flaws that I'm blind to?

Yes, to your first question. How you would do that via the
hash-on-the-projector method, is not clear to me, though. Would that be
for generating the (initial) list of the organizers as in Sassaman
Efficient (as an additional service for people using cell phones or
tablets)? Or wouldn't there be any paper copy at the event?
Sorry, for questions that might seem obvious to you.

Thanks

Stephan


0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

Stephan and Lachlan, thank you for thinking about this! I need to make a
decision soon, I really need feedback!

On 07/12/16 22:44, Stephan Beck wrote:
> Doesn't your proposal imply that late attendees could
> make their way through all the keysigning without fingerprint
> verification? Or do I miss something?

The normal attendees also don't do any fingerprint verification *at the party*.
At home, before the party, they checked their own fingerprint, and generated the
SHA256 checksum for the file they got. At the party, everybody together checks
the SHA256 checksum by simply reading aloud each and every digit.

> Thank you in any case for your detailed information, that encouraged me
> to install the keysigning package and have a look into it. It seems to
> be a great tool for organizing a key-signing event!

It is :-)

I wouldn't say my information is detailed actually, I could write a *lot* more
about proper procedure. But I hoped I didn't have to, instead just focussing on
what I wanted to do *differently* from usual.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Recording keysigning attendants on phone (was: Hybrid keysigning party, your opinion?)

[Peter Lebbing]

On 08/12/16 07:29, Lachlan Gunn wrote:
> If I understand correctly, the late attendees still get a copy of the
> fingerprints after the fact, they just don't have it on their sheet of
> paper.  The fingerprint-less piece of paper just lets them keep a record
> of who they have verified, and gives them a hash of the list that does
> have the fingerprints, which they can compare with the people who were
> ready beforehand (to make sure that the fingerprints have been verified
> by the identity holders).

Yes, that is spot on what I had in mind. What do you think?

> Does the idea have flaws that I'm blind to?

I can't say as to your perception, but all these "verify at the party, sign
after the party" share the problem that the list could be modified in the time
between verifying and signing.

Somebody could picpocket your list, add checkmarks with the same type of pen you
used, and then sneak it back into your possession. That's a physical act that
requires an intimate level of proximity.

A phone or tablet is a wirelessly connected device that could be hacked from a
distance, and it could be done even before the keysigning.

I'd say the latter is in principle more vulnerable; but it depends on your
threat model. If, for instance, you've already concluded that you want to have
your primary key on the same phone or tablet, it doesn't matter anymore if you
then also keep this party list on there.

For the sake of my sanity and the fact that I'll need to make the decision about
the 33C3 keysigning soon, let's please not mingle these subthreads. If you reply
to my "What do you think?", I'd suggest re-instating the previous Subject:-line 
:-).

Thank you!

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Le 2016-12-08 à 08:14, Stephan Beck a écrit :
> Doesn't your proposal imply that late attendees could
> make their way through all the keysigning without fingerprint
> verification? Or do I miss something?

If I understand correctly, the late attendees still get a copy of the
fingerprints after the fact, they just don't have it on their sheet of
paper.  The fingerprint-less piece of paper just lets them keep a record
of who they have verified, and gives them a hash of the list that does
have the fingerprints, which they can compare with the people who were
ready beforehand (to make sure that the fingerprints have been verified
by the identity holders).

I've actually thought of doing an electronic keyslip program for mobile
phones/tablets that would let you build the list electronically using QR
codes or NFC, or maybe doing it via the hash-on-the-projector method for
maximum speed.  Then you could just download the file to your signing
machine and let CAFF do its thing.

Would this interest anyone?  Does the idea have flaws that I'm blind to?

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Stephan Beck]

Peter Lebbing:
> Hi all,
> 
> In just a few weeks, the 33C3 will be held in Hamburg, the 33th Chaos
> Communication Congress organized by the Chaos Computer Club. I intend to
> organize a keysigning party, just because they are fun.
> 
> I am asking for your thoughts on a variant of the organization of the
> keysigning party. 

...
Doesn't your proposal imply that late attendees could
make their way through all the keysigning without fingerprint
verification? Or do I miss something?

Cheers

Stephan


Thank you in any case for your detailed information, that encouraged me
to install the keysigning package and have a look into it. It seems to
be a great tool for organizing a key-signing event!




0x4218732B.asc
Description: application/pgp-keys


0x4218732B.asc
Description: application/pgp-keys


0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hybrid keysigning party, your opinion?

[Peter Lebbing]

Hi all,

In just a few weeks, the 33C3 will be held in Hamburg, the 33th Chaos
Communication Congress organized by the Chaos Computer Club. I intend to
organize a keysigning party, just because they are fun.

I am asking for your thoughts on a variant of the organization of the
keysigning party. I'll explain my reasoning and intentions, and I would
like to know if you think I forgot to think of something important. Is
there a way a malicious party could get people to sign the wrong UID,
because I didn't think of that way? I'm not interested in ways people
could cheat at the usual "informal" keysigning party model, with
exchanging paper keyslips. This is because this would be my fallback
model, if the proposed model doesn't work out. So I'm only interested in
cases where the proposed model introduces extra issues compared to the
informal exchanging keyslips model.

There are several methods to do a keysigning party. One of them is the
"Sassaman efficient" version. It requires preparation, and this
preparation must be done in time that everybody can print out their copy
of the list. With a congress spanning several days, this means the
preparation should probably be done before the congress, since in
general you shouldn't print your list on a printer you don't completely
trust, and most people don't bring a printer (I did! :).

Now Sassaman efficient has a very big issue. There will always be people
who also wish to attend the keysigning party who did not participate in
the preparations. As far as I can see, these people could just
participate as equals with printed out keyslips to hand out to the other
people. However, I've seen multiple times that these late guests were
treated as second-class participants. I've actually seen them delegated
to the corridor outside the room where the party was held, told to wait
until the others were done! I never got a chance to exchange
fingerprints with these people because of course they left a long time
before the party inside was done. I can't imagine this was a very
pleasant experience for them.

The common denominator of the Sassaman efficient and the informal method
is that you form a line of people that folds in on itself. Now, as I see
it, you can just form a line beginning with the people on the list and
ending with the people who joined late.[1] With the people on the list,
you only check ID's and place a checkmark on your list when satisfied.
Once you get to the part with the late attendants[2], you instead
exchange key slips. I don't see why the people who are not on the list
should not be allowed to be in the same line, yet it is what I've seen
happening.

Anyway, so, Sassaman efficient has a major problem. It also has
advantages. At the bottom line, there is only one advantage I find relevant.

With Sassaman efficient, you actually only have to check one SHA256 hash
and your own fingerprint.

No matter how many attendees, you don't have to check anyone else's
fingerprint manually. Just the two!

This is because you have a SHA256-protected list of fingerprints already
in digital form; no need to compare to printed out digits on paper. All
attendees who participated in the preparation have gotten a text file
which contains all fingerprints of the participants, and they print out
this list as well as compute its checksum. Additionally, they check that
their *own* fingerprint in this list is correct. At the event, the
SHA256 checksum of the text file is read aloud and everybody compares it
to the checksum on their piece of paper. Next, each participant on the
list is asked in turn whether their fingerprint checked out.[3]

After the event, you'll go home and sign keys, using the verified text
file that has the correct SHA256 checksum. Now when you use CA - Fire
and Forget, caff, all you have to check are the UID's you are signing.
The SHA256 checksum has already ascertained that the fingerprints in the
text file are correct; anyone altering a fingerprint will necessarily
alter the checksum of the file. And caff checks the fingerprint for you
from the known-correct file! As long as all participants verified that
their own fingerprint is correct in the file with the correct SHA256
hash, all fingerprints have been verified already.

It will still be *very* important to verify the UID's manually. What if
the official list had a key with fingerprint X and UID
, but once you download the key with fingerprint X,
there's instead an UID ? You need to check that you
only sign UID's carrying Alice's name that you verified from her
passport or similar thing.

I quite like it that I don't have to verify dozens of fingerprints
manually; I'd like to keep the list if possible. So can we improve on
the party where there is a line of both people on the list and people
with keyslips? I think we can.

I think ideally, the participants who

Re: 31C3, keysigning party

[Tobias Mueller]

Hi.

On Thu, Dec 11, 2014 at 01:49:36PM +0100, Peter Lebbing wrote:
> Probably monkeyscan from monkeysign...
FWIW: A tool with a similar goal is GNOME Keysign:
https://github.com/muelli/geysigning (Note that the repository will move, so 
this link will become defunct)
Contrasting caff or monkeysign, it does not rely on keyservers.

Cheers,
  Tobi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 31C3, keysigning party

[Guilhem Moulin]

On Thu, 11 Dec 2014 at 13:22:28 +0100, Peter Lebbing wrote:
> On 11/12/14 11:39, Werner Koch wrote:
>> I will be at the 31C3 at Hamburg from the 28th (late afternoon) to the
>> 30th.  You may find me at the FSFE Assembly or ask there for my local
>> communication parameters.
> 
> I intend to organise a keysigning party if no one else does.

There is one advertized already:

  https://events.ccc.de/congress/2014/wiki/Session:Keysigning_Party

> Now I'm considering a mixed-mode party, basing on Sassaman-Efficient,
> but falling back to slips of paper as produced by e.g. gpg-key2ps for
> people who brought those from home and don't have access to a printer
> while at the congress. Oh, and there's this 2D barcode keysigning
> thing as well, should look it up.

You'll find an alternative to gpg-key2ps(1) in the latest signing-party
package: gpg-key2latex(1).  It produces a nicer output IMHO, including
UAT (photo) and QR code, at the expense of heavier dependencies (such as
texlive).  Disclaimer: I'm the author of that script :-P

-- 
Guilhem.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 31C3, keysigning party

[Peter Lebbing]

On 11/12/14 17:58, Guilhem Moulin wrote:
> There is one advertized already:

 Excellent!

And thank you for pointing it out, especially since they expect you to sign up
/way before/ the event. I hope they'll allow people in who didn't sign up (who
will bring their own slips of paper or QR code for people to photograph). In
fact, I've mentioned this to the organiser while signing up.

> You'll find an alternative to gpg-key2ps(1) in the latest signing-party
> package: gpg-key2latex(1).  It produces a nicer output IMHO, including
> UAT (photo) and QR code, at the expense of heavier dependencies (such as
> texlive).  Disclaimer: I'm the author of that script :-P

Thanks! That certainly is useful.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 31C3, keysigning party

[Peter Lebbing]

On 11/12/14 14:46, Tobias Mueller wrote:
> FWIW: A tool with a similar goal is GNOME Keysign:

Thanks for the pointer!

> Contrasting caff or monkeysign, it does not rely on keyservers.

Neither does caff, if the organiser of the keyparty simply collects all keys
(sent by the participants) and sends the resulting keyring to all participants.
Been there, done that, bought the GnuPG t-shirt. I haven't checked if you can
pass a keyring to monkeysign.

So I'm a bit surprised by that claim in the README of GNOME Keysign.

They also keep talking of an authenticated copy of a key. The authentication
usually consists of you checking the fingerprint (or the program checking the
fingerprint in a securely retrieved barcode). Surely that is enough? Am I
missing something somewhere?

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 31C3, keysigning party

[Peter Lebbing]

On 11/12/14 13:22, Peter Lebbing wrote:
> Oh, and there's this 2D
> barcode keysigning thing as well, should look it up. It was demonstrated to me
> at the keysigning at OHM2013.

Probably monkeyscan from monkeysign... the latter has been mentioned numerous
times on this list, btw.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 31C3, keysigning party

[Peter Lebbing]

On 11/12/14 11:39, Werner Koch wrote:
> Hi!

Hi!

> I will be at the 31C3 at Hamburg from the 28th (late afternoon) to the
> 30th.  You may find me at the FSFE Assembly or ask there for my local
> communication parameters.

I intend to organise a keysigning party if no one else does. I did one at 29C3
as well. I did a pure Sassaman-Efficient process then. Now I'm considering a
mixed-mode party, basing on Sassaman-Efficient, but falling back to slips of
paper as produced by e.g. gpg-key2ps for people who brought those from home and
don't have access to a printer while at the congress. Oh, and there's this 2D
barcode keysigning thing as well, should look it up. It was demonstrated to me
at the keysigning at OHM2013.

I printed my own Sassaman-Efficient list at the hotel I was staying at[1].

Do any people have experience with paperless keysigning parties, using laptops,
tablets, mobile phones, that sort of stuff?

BTW, I will attend the whole congress (27 to 30), but I might sleep in some 
days.

Cheers,

Peter.

[1] I figured the odds that the hotel would modify my list rather low,
especially since we were the only participants staying at that hotel, so they
had probably never even heard of OpenPGP :).

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Wednesday 3 December 2014 at 10:13:04 AM, in
, Kristian Fiskerstrand
wrote:



> This one means you should update your version of gnupg.
> It was a bug back in 2.0.24 and 2.0.25 (and the 1.4
> versions released around the same time).


Interesting, thank you. The error message was given by GnuPG 1.4.18,
which is the newest 1.4 version I can see at
. Is there a newer one elsewhere?



- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

CAUTION! - Beware of Warnings!
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlR/n/lXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pZbgD/Rpz8UhwefPbhNqhvMZy0cZ3P7frZUUwziQY
DLbIAvi2GXnIvgxFy7+WbzdxF1gwM71ta9faVOdUuDmHOV6g+Xf5HEF0z+4QJ8y5
MvBJg4UWR4HC2QT9MjqJEv082mP4Wx6VLZEr5HppY3qXJDHptH3zdlCDV02iK8QV
hBAgQ8SKiQF8BAEBCgBmBQJUf5/5XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRp
b25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZB
NUEwRjU2QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwwnsH/0GNpmNOL5nFAoLo
ktQLqJrp+Yf509ZpjIfv3I3oUkZ0gi0r3bvz7cpnqjBcqgyjDrSyv6nFfG/2oGFO
HgUBCXQ12p2+i7GVD3u0KSlcV1mHzEa9+N3txp2ow6WX5LDcfefDpVciYDWcMTaP
o1/7nZrEH17iDKdZlDGN1Q10iiI0WBRqSeF3ZtfFUL3Pu+NuEHESp2+mwAjIdpNx
dl1f2LekHAfC8yVUhJoUK6LE077G5K7q3l7pwmgaS9CXbBF1LNaC9L0Y9sRdKlm+
0tM3fWrmYNIL1BPXX+n2f0WZX4WgCEzGlA1sEJ/cjNYC8/KGIik0vDD1oBrH7zXz
Cr3zsxk=
=Xsco
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning

[Faramir]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

El 02-12-2014 a las 7:53, Robin Mathew Rajan escibió:
> Hello David, :)
> 
> I already uploaded my public key to a public key server some months
> ago. But there's no local Linux users group where I live! I sent
> emails to some people listed at biglumber.com with my Government
> issued ID card attached. But no reply came from them. :( Some of
> them are CACert Assurers!

  CAcert requires face to face meetings, since we (yes, I'm an
assurer) must check the government issued ID and try to figure out if
it has been tampered. Then we must compare the picture with your face,
to make sure you are you, and not someone else with your ID.

  But the purpose of getting a signature in your key is to:
1.- allow the person that issues the signature to trust your key validity.
2.- allow people trusting the signature issuer's judgement to trust
your key validity.

   So, if you get CAcert's signature, it allows people trusting CAcert
procedures to consider your key as valid, but it won't have any
meaning for people that doesn't trust CAcert. Several persons in this
list falls in that category. A signature from a local linux users
group would mean nothing to me, since I don't know any of them, and I
don't know what kind of validation they do before signing a key.

   In other words, you want signatures, but not just any signature,
you want signatures that have some meaning for the people that will be
exchanging messages with you. I know when I first made my key, I
wanted it signed, as if it was some kind of autograph book, but after
a while you realize it just increases the key's weight. Nothing to
worry too much about, since while you can't remove signatures from
keyservers (and you can't prevent somebody from fetching your key from
a keyserver, signing it with 200 bogus keys, and uploading it again),
you can still clear your local copy of your key, and send it by email
to one of your friends. And your friends can also fetch your key and
clean it from all the meaningless signatures it may have (meaningless
to them, as I said, it depends on each person).

   For some uses, I could use a key carrying only a nickname, and
exchange signatures with my gaming alliance, and that would be OK,
since I won't be exchanging any world domination plan with them. If I
were working with a customer that is a representative of a bank, and I
had to email him the user and password for the server I just setup for
them, I'd require a face to face meeting to sign his key (and I
wouldn't mind too much about what name is on the key, I'd care about
the person that uses the key. If they key says "Barak Obama", I'd
issue a local signature, so I can still use the signature to verify
the key's validity, and I would not be vouching to the world the key
belongs to "Barak Obama"). Or I could trust the signature already
issued by my boss.
   By the way, that was just an example, probably any customer
requesting me to give them the server login info would accept it in
plain text over email, or maybe using whatsapp. If "paranoid", they
may request the user name being sent by mail and the password by SMS.
Yes, it's frustrating.

  Best Regards
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJUf4HwAAoJEMV4f6PvczxAsxsH/1+hkZvznGKT4OERtKrygsRN
XUOeXz3AOM0gZZZJ6S91tLvjz7aCqtjZGVZRx7mDq0IRXdvJ8enfuysyTgPpKPfM
JNE23xF2e7D12lbJR9dfSPftruOd38HqN9kIOMtI1oXa28rAgBqfV0o04Gba8JlD
HsOVCrd2y+E82Ozbf79xAP7Ckg57MSBkmULpwz2cgC2b7OagSYA9hmL8uMe23Ktl
LdXq/y83AEsRxAM8Drd9hw/Wvqsj6AMarTvxOz5CZFdqs4q/5X1ZsLMM4acikC+r
8ydWH3shoefASam4kfHJhXMpNLhjUWxo4mX0dcqAcjMiZjTMaMqZyJRLUR/feh0=
=QTn4
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 12/03/2014 12:47 AM, MFPA wrote:
> Hi
> 
> 
> On Tuesday 2 December 2014 at 12:30:11 PM, in 
> , Robin Mathew Rajan
> wrote:
> 
> 
> 
>> My key is available on these key servers.
> 
> When GnuPG searched for the key to verify your signatures, It
> failed with:- gpg: key 0x7D3A6C5A47CF3842: rejected by import
> filter

This one means you should update your version of gnupg. It was a bug
back in 2.0.24 and 2.0.25 (and the 1.4 versions released around the
same time).
- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Nulla regula sine exceptione
No rule without exception
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJUfuIuAAoJEPw7F94F4TagPN0P/ii6fD7N7hXTmE3PuoTgfw0K
sia/84OEnlAONc8Pslr2h11Zfylt6G10yq8DOK38zattCwsKoUcuKRWJUmOGph0q
QDxXuW+HqUq2ioFalihvLuDuR8D3vOfWzfey2cmbRqN71Vhk9BYqyGn0d2Ldhh25
36J61JvRJ2HmMTdIDhgj6WqFjTjIb1/rMWvZ51iReQBecGf6ISgMR+njUkzlggWt
jrLbfYX3fYQboUluRN2IfSGKRkHSrsPnt/mbgD+NiMWvaSvatdPmWGaTFsENbcrf
YvCiHYZ44S4N8DN+cSDQafnnEhQCQeGfKnR2teV06s0TjJxOpaGtIp9UaIVskD2b
3DlFzOuK+PsJAxAy0G46iB63jsPVsUHhnXuJ/TY1ir7xHrMP2TMgSKPHN0NkK226
KjtIqa9YmQavJH2x1+xLBIGyS67nH4DQ8Z6uUVsFs0RuuYf4vzfdCaPdcP6DsbjK
P95m6Fw6ho8ZxKcaabSxebx7nIJtCR2dXNigxGgIdsQQyuwjlO+NXWVCLc1EA7N+
KGhBDePG/OrbxOfkN3VrnBQsr5nNJWXvG79y6Uxvv30v20qv5q3UEJCjynCHZXNi
fL2kiOLCKWlaBySnnoMSTuTy154evaBCn+Tc8xCsvAz5YTqVu1LD1ZGG2ayiHCW0
izUn7hPvelpNcz1MRCMd
=xvXn
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Tuesday 2 December 2014 at 12:30:11 PM, in
, Robin Mathew Rajan wrote:



> My key is available on these key servers.

When GnuPG searched for the key to verify your signatures, It failed
with:-
gpg: key 0x7D3A6C5A47CF3842: rejected by import filter

But I was able to import it by gpg --recv-keys 0x7D3A6C5A47CF3842
without error.



- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

To know what we know, and know what we do not know, is wisdom.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlR+T35XFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pSy4D/RytVLaQwYevi3BL0GnkG9n423+Ym7JhSwW5
VInJlohZGSlBV70wDzJbXS5LCI1LJgn7dFmju5f8hMXrfAGU12NL4jelBZdk63l2
XirSnMiSh3CR9mPEgiAR121Uo0O6HrJLwCQU+TqJ8b8X2ihpCrIdGHeMseA5UOYL
SErOpgA0iQF8BAEBCgBmBQJUfk9+XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRp
b25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZB
NUEwRjU2QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwVE8H/RkAS9g61wZvFUNn
3weloC11++r4tS0rz84WMp7liWXGjR9jTx644ZTbs5SnfwsSkGDc4+wPMY0K70jI
6qWIHBE8X0hTtdMkkij9f9nSTT0s9mxmVIcM3UmSKDlunpCN/HYEBvTYXBz4WkI2
lNd8c5bTDwfzHlRSFwUkrlECl+U1P5yX5PvukszM/HgFse6XkZFAidNLlWVGqjed
/nIWlmROuT5d9qb1Ps5nIW0eHIrJlGijdR9ydZcQvfU9bnrDfkO4j4dMDWZM9+Lm
CPWFcNZ8EKJfsEBLLKq3ORF9k/8sUVrY+uoMNa1dFhPyDdMuFq7ltberJOLuQejX
aPhigVs=
=NTRz
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning

[Aaron Toponce]

On Tue, Dec 02, 2014 at 10:23:13AM -0700, Aaron Toponce wrote:
> Yes. You can get me through Tox. My Tox ID is:
> 
> 76AC69FEB7DA042DFD75F30574CEE3C6498DF9DD766E1D78FC5CB4693CA10BD381F696

Hmm. It seems to have been truncated in the paste. The actual Tox ID is:

30861A76AC69FEB7DA042DFD75F30574CEE3C6498DF9DD766E1D78FC5CB4693CA10BD381F696


-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o


pgpQMVurpvgBb.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning

[Aaron Toponce]

On Tue, Dec 02, 2014 at 01:57:13PM +0530, Robin Mathew Rajan wrote:
> Where can I get my keys signed? Does here anyone provide keysigning services
> through video conference? :)

Yes. You can get me through Tox. My Tox ID is:

76AC69FEB7DA042DFD75F30574CEE3C6498DF9DD766E1D78FC5CB4693CA10BD381F696

My key signing policy:
https://pthree.org/my-pgp-key-signing-policy/

I'm not as militant about key signing as some others in the community. I'll
take precautions, but I'll also make an attempt at getting more in the WoT.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o


pgp01mi7Zyja5.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning

[Robin Mathew Rajan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello David :)

My key is available on these key servers.

http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=mail%40robinmathewrajan.com&fingerprint=on

https://pgp.mit.edu/pks/lookup?search=mail%40robinmathewrajan.com&op=vindex&fingerprint=on

Regards,
Robin Mathew Rajan


On 02-12-2014 PM 05:35, da...@gbenet.com wrote:
> On 02/12/14 10:53, Robin Mathew Rajan wrote:
>> Hello David, :)
>>
>> I already uploaded my public key to a public key server some months ago. But 
>> there's no local Linux users group where I live! I sent emails to some 
>> people listed at biglumber.com with my Government issued ID card attached. 
>> But no reply came from them. :( Some of them are CACert Assurers! 
>>
>> If someone could sign my key over video conferencing, that would be very 
>> much helpful to me. Yes, I know it's much less trusted than actual 
>> person-person meetups in real world. But at the same time, it offers an easy 
>> solution for someone living in a very remote area. And it's also 
>> particularly helpful if he/she can't afford travel expenses to get keys 
>> signed. I think it's just like performance vs. security in cryptography. 
>> Signing someone's key through video conferencing is less secure but at the 
>> same time it's an effective solution for remote areas. I think key signing 
>> through video conferencing, might help in reducing 'crypto divide' (like 
>> that in 'digital divide'). :)
>>
>> Regards,
>> Robin Mathew Rajan
>> https://www.robinmathewrajan.com/
>>
>>
>> On 02-12-2014 PM 03:05, da...@gbenet.com wrote:
>>> On 02/12/14 08:27, Robin Mathew Rajan wrote:
>>>> Hello,
>>>>
>>>> Where can I get my keys signed? Does here anyone provide keysigning 
>>>> services through video conference? :)
>>>>
>>>> Thanks and regards,
>>>> Robin Mathew Rajan
>>>>
>>>> ___
>>>> Gnupg-users mailing list
>>>> Gnupg-users@gnupg.org
>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>>
>>> Hello Robin,
>>
>>> The first thing you need to do is upload your public key to a key server. 
>>> Perhaps you can
>>> find people where you live - a local Windows group or Linux group they 
>>> would be happy to
>>> sign your key.
>>
>>> Video conferencing? You need to produce some documentation of who you are - 
>>> some here may
>>> feel that video conferencing is not a good idea. But first get your public 
>>> key to a key server.
>>
>>> David
>>
>>
>>
>>> ___
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>>
> Hello Robin,
> 
> I tried to download your public key from several servers - without any luck.  
> As your using
> Thunderbird you can always attach your public key.
> 
> As for key signing - then face to face communications are better. I've asked 
> myself "what is
> the importance of people signing my keys?" There is no valid reason as far as 
> I can see -
> though people like to build the web of trust - and for the most part - people 
> on here are
> who they say they are - and over the years you get to build up trust. Though 
> having said
> that I'm not about to rush out and sign every one's keys.
> 
> Why not start your own group? There are lots of Linux groups around the world 
> - unless your
> stuck in the middle of nowhere! Perhaps you can provide a link to where you 
> uploaded your
> public key?
> 
> David
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJUfbDTAAoJEJyRZAJNoXmunbYP/2dXXPhu6rzQB1tKQqTPXoqa
XDBx9UTGVIMsI1A7ic4wJao5aD9+PgvRL7Iunqo4exGOab0uBDBZle7/pNqE3wEe
1npOpVJhUd9hXQa1HLPQdaDlBu8ap7DiGrtNgR4g4kFukzJilvtdps4Pmvd+hc/f
ciMf1wMszynQ5sTcmJ4U7lNLlwSlClk1poWSAsg9Q1dU97aSUE54r8m9qGBwfMP3
T5UB8A68iokiij0+IJIFYEvmqFFUsdG8dYtDehqJl0tX/hd64YV/5qbz7K97XiPC
5vhlFphBpSFNjl3iuXNdljr8UoIdTgSYolzbF4SH8fnx9f4jBFBTgO3mpenlJUP9
lwOCV1Gcmn3HfDRV7aW1QvTExdyw9tcJQhUSOppuDivUFePpirXZugRqDNPsN8t0
bhTR/wTBIV/3InCu8JktbwBCa+h1dVMY5rEvlSnp8AXc8sQLg3htapCITng5sEpj
2re1v5YHNiIWqWPIKE3yoj2oAcx2jX53Vg+s3dIaoyIwCDn+muITQ26b0PlDdKnL
cfoqmAJGhG6jsnI/UyfIHbjYIlRb8esCsoaTG2WRfww3N3YbWLUNu/M3P70h9cTD
OmsbHDCLUWKjEkzUdHwohvtapFTmSprrLrZZYzHO9DYKV22czNyWwb/IRNCYmJ/Y
uQoOh0ymQpwiAjbu0VJs
=Tx23
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning

[da...@gbenet.com]

On 02/12/14 10:53, Robin Mathew Rajan wrote:
> Hello David, :)
> 
> I already uploaded my public key to a public key server some months ago. But 
> there's no local Linux users group where I live! I sent emails to some people 
> listed at biglumber.com with my Government issued ID card attached. But no 
> reply came from them. :( Some of them are CACert Assurers! 
> 
> If someone could sign my key over video conferencing, that would be very much 
> helpful to me. Yes, I know it's much less trusted than actual person-person 
> meetups in real world. But at the same time, it offers an easy solution for 
> someone living in a very remote area. And it's also particularly helpful if 
> he/she can't afford travel expenses to get keys signed. I think it's just 
> like performance vs. security in cryptography. Signing someone's key through 
> video conferencing is less secure but at the same time it's an effective 
> solution for remote areas. I think key signing through video conferencing, 
> might help in reducing 'crypto divide' (like that in 'digital divide'). :)
> 
> Regards,
> Robin Mathew Rajan
> https://www.robinmathewrajan.com/
> 
> 
> On 02-12-2014 PM 03:05, da...@gbenet.com wrote:
>> On 02/12/14 08:27, Robin Mathew Rajan wrote:
>>> Hello,
>>>
>>> Where can I get my keys signed? Does here anyone provide keysigning 
>>> services through video conference? :)
>>>
>>> Thanks and regards,
>>> Robin Mathew Rajan
>>>
>>> ___
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>
>> Hello Robin,
> 
>> The first thing you need to do is upload your public key to a key server. 
>> Perhaps you can
>> find people where you live - a local Windows group or Linux group they would 
>> be happy to
>> sign your key.
> 
>> Video conferencing? You need to produce some documentation of who you are - 
>> some here may
>> feel that video conferencing is not a good idea. But first get your public 
>> key to a key server.
> 
>> David
> 
> 
> 
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> 
Hello Robin,

I tried to download your public key from several servers - without any luck.  
As your using
Thunderbird you can always attach your public key.

As for key signing - then face to face communications are better. I've asked 
myself "what is
the importance of people signing my keys?" There is no valid reason as far as I 
can see -
though people like to build the web of trust - and for the most part - people 
on here are
who they say they are - and over the years you get to build up trust. Though 
having said
that I'm not about to rush out and sign every one's keys.

Why not start your own group? There are lots of Linux groups around the world - 
unless your
stuck in the middle of nowhere! Perhaps you can provide a link to where you 
uploaded your
public key?

David

-- 
“See the sanity of the man! No gods, no angels, no demons, no body. Nothing of 
the
kind.Stern, sane,every brain-cell perfect and complete even at the moment of 
death. No
delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning

[Robin Mathew Rajan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello David, :)

I already uploaded my public key to a public key server some months ago. But 
there's no local Linux users group where I live! I sent emails to some people 
listed at biglumber.com with my Government issued ID card attached. But no 
reply came from them. :( Some of them are CACert Assurers! 

If someone could sign my key over video conferencing, that would be very much 
helpful to me. Yes, I know it's much less trusted than actual person-person 
meetups in real world. But at the same time, it offers an easy solution for 
someone living in a very remote area. And it's also particularly helpful if 
he/she can't afford travel expenses to get keys signed. I think it's just like 
performance vs. security in cryptography. Signing someone's key through video 
conferencing is less secure but at the same time it's an effective solution for 
remote areas. I think key signing through video conferencing, might help in 
reducing 'crypto divide' (like that in 'digital divide'). :)

Regards,
Robin Mathew Rajan
https://www.robinmathewrajan.com/


On 02-12-2014 PM 03:05, da...@gbenet.com wrote:
> On 02/12/14 08:27, Robin Mathew Rajan wrote:
>> Hello,
>>
>> Where can I get my keys signed? Does here anyone provide keysigning services 
>> through video conference? :)
>>
>> Thanks and regards,
>> Robin Mathew Rajan
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
> Hello Robin,
> 
> The first thing you need to do is upload your public key to a key server. 
> Perhaps you can
> find people where you live - a local Windows group or Linux group they would 
> be happy to
> sign your key.
> 
> Video conferencing? You need to produce some documentation of who you are - 
> some here may
> feel that video conferencing is not a good idea. But first get your public 
> key to a key server.
> 
> David
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJUfZotAAoJEJyRZAJNoXmukWsP/2rQjUt+xbHanjDsThu49V8Q
0fXDVSPyHsF88fkViF/bU7nibfdbijhUuSMxMx6GvFnn/jC6qQjqkSgq9fSD2Bc0
ahDdioHEW3tACxkjZHXyJbn3Z47A2mP2GyRQVQwwQus0PcDxN8BzL/R41sRmPcBg
n7djwiQAJzqbs4+Q73zs+X4x3Fji2Q7PcqsOR9YJLi7OJ2Aeq7UmYtMYDPrMsmj4
asIoPyP7xD1shvjvFw9ibs6i+wFGfvmxIIlm2z7EDAGjq+F6apKnvHbTOIDapfyF
JQTchjTTwrmxz9e0cdy3Gjz8EkZxlwqN0BPt+bvVkO/ezyoVeeKryDQrA6g9xUMP
3aed9rrXgDQCy4efIvim7dLvnn0b1rVykh149hKCu76ZP5skRVqc1DmE2NwXAqD6
dcOpPoiysaFdDSzmqebkfLx1mujr7pmNW16L1Nq04Vu8LQuHOg8r15xtyjlO+peh
rW75psPkZj3t51kCLvWFwoYUefHMG8pJeQ/BAoUvQNoQx2Vz5Hvz7DNwnOqExKB/
vjJf+M/ulF3cpz3nHw4A7NamnaFSE4qpFwrlGgc1iXGF8mhSzcVPn1DS13Uv3CTE
08WPrIwhLYxzJbcw2yCb0rPNpCoEcseOBTOlilVdrhDvObQfQVUv7vhxULDKVb4S
hs4DYFS7eUhQTSnRwH5Z
=BVQa
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning

[da...@gbenet.com]

On 02/12/14 08:27, Robin Mathew Rajan wrote:
> Hello,
> 
> Where can I get my keys signed? Does here anyone provide keysigning services 
> through video conference? :)
> 
> Thanks and regards,
> Robin Mathew Rajan
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
Hello Robin,

The first thing you need to do is upload your public key to a key server. 
Perhaps you can
find people where you live - a local Windows group or Linux group they would be 
happy to
sign your key.

Video conferencing? You need to produce some documentation of who you are - 
some here may
feel that video conferencing is not a good idea. But first get your public key 
to a key server.

David

-- 
“See the sanity of the man! No gods, no angels, no demons, no body. Nothing of 
the
kind.Stern, sane,every brain-cell perfect and complete even at the moment of 
death. No
delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keysigning

[Robin Mathew Rajan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello,

Where can I get my keys signed? Does here anyone provide keysigning services 
through video conference? :)

Thanks and regards,
Robin Mathew Rajan
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJUfXfhAAoJEJyRZAJNoXmuFecP/0UMzGfQr+uM0XL+oxz93n7D
Sv7gEWAR99ES2wxeOaNL+zCl170UjJUY1LGaWmSLX9XewU8ER3v7IZ2VAXVco82j
zMM608XUAs/li7J4NMD1WwpGyppRxcSbc1WNrCFGJm+gUsixRBlfIZppWWeJyjRS
7Jp/5pDmNflAZL0ZYiTNh7gA6H4PD4wxIC66llRxZOf4klKaNBBPpDps4ykzY5ov
A9Lk4uC9MsLpA/j0uEdkhdPLAgtlf9hEqsrDSyOBWNEoqTadCvcT+PBdSgEt2hBQ
Xaagava8NrYyQo7dvwniZGudZJscBqdELA2Dr27iF5XtulR/NUH7vAMsmJsMtJWn
0unzilj1BQyL4N1zrL3C/xejPdATZ+AJ5hdj/bWLI0oK4Ia13X7TjwO4Y71bfGHh
GnLdX+fNWkNAaGeTbNTDzuVv3nzBFb4PlvATNJOimsPlgC2TIFLntxE3V2/upvz/
Vbfz5rpPcM4Y5KemB2SYMAmXMYcRPu9m8W/2Yo7PD1tOA73FqYRw3DGSzJ5eK3b6
mY5TFDZhvFZIWCxAZlXbbevdFIoTY5i5WguknVAnI/ux1utDc/ROBHtWzgTBTWLK
uAgRhbp98DUUnaYq+S3ApiwCp/+cde5v+M5Lp/G9IuNe86BLWQ7LZCVRolgHfE4l
dbgWNDUuEx3IdHptAMGN
=lFrn
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: keysigning: lsign and offline master key

[nb.linux]

Daniel Kahn Gillmor:
>  0) --export-options export-local on your air-gapped system, combined
> with --import-options import-local on your "regular" system.

> Would either of these workflows meet your goals?

Thanks! That's exactly what I was looking for.

-- nb.linux


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: keysigning: lsign and offline master key

[Hauke Laging]

Am Sa 04.01.2014, 21:41:32 schrieb nb.linux:

> How can I lsign a key and transfer the local signature from my air
> gapped system?

--export-options export-local-sigs

Not necessary for import if the importing system knows the signing key 
as secret key (no matter whether the mainkey is available or not).


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: keysigning: lsign and offline master key

[Daniel Kahn Gillmor]

On 01/04/2014 04:41 PM, nb.linux wrote:
> - ...here I'm stuck, because (as I understand the lsign) I cannot export
> the signature...
> 
> Is this right?
> How can I lsign a key and transfer the local signature from my air
> gapped system?
> Maybe by copying the keyring files between the systems?

You have at least two approaches available to you:

 0) --export-options export-local on your air-gapped system, combined
with --import-options import-local on your "regular" system.

 1) create a secret key that lives only on your "regular" system; give
it ultimate ownertrust, but never publish it.  Use it to make
non-exportable signatures.

Would either of these workflows meet your goals?

--dkg



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

keysigning: lsign and offline master key

[nb.linux]

Hi,

I have an offline master key with C/S capabilities and two subkeys (E, S).
When (publicly) signing keys, usually I load my air gapped system with
the master key, sign each individual UID of the key to sign, and export
the signatures. Then send the signatures encrypted to the UID.

How would the procedure look like for an lsign?
- load system with master key
- lsign the key/UIDs
- ...here I'm stuck, because (as I understand the lsign) I cannot export
the signature...

Is this right?
How can I lsign a key and transfer the local signature from my air
gapped system?
Maybe by copying the keyring files between the systems?

Thanks in advance,
-- nb.linux

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keysigning Event Aachen

[markus reichelt]

Aloha,

Oecher Keysigning Party III
Do 15.12.2011, 18:30 Uhr s.t.
Aachen, Elisenbrunnen (linker Flügel)

http://mareichelt.com/okp3/



pgpblGwdhal7M.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: keysigning parties

[Robert J. Hansen]

> I am having a really hard time finding any *current* info on
> key signing parties. I was wondering if someone could point me in the
> right direction. 

What sort of information do you need?

If it's, "how do I find one?", the best answer is, "throw one!"  Turn it into a 
social event: do something like host a doubleheader of _Sneakers_ and _The 
Conversation_, tell people to BYOB and bring printed slips with their 
certificate fingerprints.

If it's, "how do we share certificate fingerprints quickly?", the general 
protocol is this.  Before the party, everyone gets told a headcount for 
attendees.  Each participant is required to bring a number of printed copies of 
their fingerprint.  Each copy has the person's name, the identity documents 
they'll be presenting, and their preferred email address.  (I have my email 
address and fingerprint on my business cards: for me, I just write down 
"passport + DL" on the back and I'm done.)

At the party, divide the attendees into two equal groups.  Assemble them into 
two lines facing each other.  Each pair of people verify each other's identity 
documents and pockets the other person's fingerprint slip.  If for whatever 
reason you want to reject an identity document, you put a strikethrough on that 
part of the slip.

After a couple of minutes, each pair of people will be finished.  The line 
moves down one, and the person who just 'fell off the end' cycles back to the 
first position.  Repeat this until the entire line has been completed.

* Why paper slips? -- because the fingerprint is really all you need to 
circulate: with the fingerprint the recipient can find it on the keyservers.  
Also, if you share media you open the door for propagating malware, and that's 
a Bad Thing.

* Why put the documents you're presenting on each slip? -- because if you're 
collecting papers and fingerprints from 25 other people, it's handy to have a 
way to remember, "ah, right, key 0xD6B98E10 -- I saw Rob's passport and his 
driver's license."  This sort of information is useful: it may enter into some 
people's security models.

* Why reject documents? -- because people are allowed to have their own 
security policies, and some people may say, "I don't know what a valid 
Connecticut driver's license looks like, so I'm going to reject this DL because 
I have no way of telling if it's real."



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: keysigning parties

[Robert J. Hansen]

> Are you looking for information about how a keysigning party is run
> today?

If by "a" you mean "one particular," I have no objection: if by "a" you mean 
"in general," I object.  :)

There are techniques that focus on "let's get this over with as soon as 
possible, even if it requires copious prep ahead-of-time and special equipment 
like projectors," and techniques that focus on "well, this is largely an ad-hoc 
thing, so let's depend on as little special equipment as possible, and a simple 
system that everyone understands."  I think it's best to choose a method that 
fits your particular needs, and to err on the side of simplicity.



PGP.sig
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: keysigning parties

[Daniel Kahn Gillmor]

On 07/14/2011 12:14 AM, David Shaw wrote:
> On Jul 13, 2011, at 10:07 PM, Aaron Kaufman wrote:
> 
>> This is my first post to this list so please excuse me if i violate any
>> etiquette. I am having a really hard time finding any *current* info on
>> key signing parties. I was wondering if someone could point me in the
>> right direction. 
> 
> Are you looking to find a party to get your key signed? [...]
> Are you looking for information about what happens at the parties[...]

Are you looking for information about how a keysigning party is run
today?  DebConf11 (starting in a little more than a week from today in
Bosnia) will have a KSP.  Info on how it is being organized is here:

 http://people.debian.org/~anibal/ksp-dc11/ksp-dc11.html

Regards,

--dkg



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: keysigning parties

[David Shaw]

On Jul 13, 2011, at 10:07 PM, Aaron Kaufman wrote:

> Hello,
> 
> This is my first post to this list so please excuse me if i violate any
> etiquette. I am having a really hard time finding any *current* info on
> key signing parties. I was wondering if someone could point me in the
> right direction. 

Are you looking to find a party to get your key signed?  If so, check out 
www.biglumber.com.  That has both individual people as well as events (parties).
Are you looking for information about what happens at the parties (i.e. the 
keysigning protocols)?  If so, check out the "methods" links under 
www.keysigning.org.  That site has some event info as well.

There are other sites, but those are good starting points.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

keysigning parties

[Aaron Kaufman]

Hello,

This is my first post to this list so please excuse me if i violate any
etiquette. I am having a really hard time finding any *current* info on
key signing parties. I was wondering if someone could point me in the
right direction. 

Thanks,

-- 
Aaron 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keysigning event party in Cebit 2011?

[Ludovic Hirlimann]

Hi,

I've just learned that I might attend Cebit. I was wondering if there
was plans to have a keysigning event / party ? and if so where the meet
point would be.

Ludo

-- 
http://perso.hirlimann.net/~ludo/blog/
http://flickr.com/photos/lhirlimann



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Fyi: keysigning parties in Brazil

[Marcio B. Jr.]

Hi,
this wiki, maintained by "Associação Software Livre", is dedicated to
coordinate (and subsequently, list) all of the keysigning parties in
Brazil:

http://wiki.softwarelivre.org/KSP/WebHomeEn


regards, and a harmonious 2011 to you all,



Marcio Barbado, Jr.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

FYI: Keysigning events at FOSDEM (Feb 7th) and Chemnitz Linux-Days (March 13th)

[markus reichelt]

Hi,

for those interested in keysigning there are two upcoming events:

PGP/GPG/CA Keysigning events on Sunday Feb 7th at FOSDEM in Brussels
http://fosdem.org/2010/keysigning
Deadline for key submission: Monday, Feb 1st 2010 (hurry up!)

PGP/GPG Keysigning event on Saturday March 13th at Chemnitz Linux Days
More info (in German and English) is available at
http://chemnitzer.linux-tage.de/2010/addons/pgp.html
Deadline for key submission: Wednesday, March 10th 2010


Thanks to the people organizing the events.


At both events the FSFE will be present, so check out its booth if
you are generally interested in free software: http://fsfe.org/


-- 
left blank, right bald


pgpCAIVLq9OHr.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

FYI: Keysigning Party at FrOSCon 2009 in Sankt Augustin (August 22nd)

[markus reichelt]

Hi,

for those interested, there's going to be a keysigning party at
FrOSCon 2009 in Sankt Augustin on August 22nd, 12:30h:

http://ksp.froscon.org/

Deadline for key submission is Thursday, August 20th 2009.

More info about the conference is online at http://www.froscon.org/

-- 
left blank, right bald


pgp1ziUGGmm4S.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FYI: Keysigning at Linuxtag 2009 in Berlin (June 26th)

[Andre Amorim]

When you come to london?

2009/6/9 markus reichelt :
> Hi,
>
>
> for those interested, there's going to be again a keysigning party at
> Linuxtag 2009 in Berlin (June 26th):
>
> http://wiki.linuxtag.org/w/Keysigning_2009
>
> Deadline for key submission is Sunday, June 21st, 23:59
>
>
> (Sorry for the late announcement, last year's keysigning was
> announced 6 weeks before the actual event.)
>
> --
> left blank, right bald
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>



-- 
Andre Amorim
GnuPG KEY ID: 0x587B1970
FingerPrint:  42AE C929 4D91 4591 4E75 430F 78D9 53B4 587B 1970
Download: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x587B1970

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

FYI: Keysigning at Linuxtag 2009 in Berlin (June 26th)

[markus reichelt]

Hi,


for those interested, there's going to be again a keysigning party at
Linuxtag 2009 in Berlin (June 26th):

http://wiki.linuxtag.org/w/Keysigning_2009

Deadline for key submission is Sunday, June 21st, 23:59


(Sorry for the late announcement, last year's keysigning was
announced 6 weeks before the actual event.)

-- 
left blank, right bald


pgpsM6vIR8A4N.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FYI: Keysigning events at FOSDEM (Feb 8th) and Chemnitzer Linux-Tage (March 14th)

[markus reichelt]

* markus reichelt  wrote:

> PGP/GPG Keysigning event on Saturday March 14th 18:00h at Chemnitz
> Linux Days in ... Chemnitz.
> 
> Deadline for key submission: *Monday March 9th*

This is just a friendly (and last) reminder that you can still
participate, just honour the deadline. More info (in German &
English) is available at

http://chemnitzer.linux-tage.de/2009/service/pgp_en.html

Hope to see you there.

-- 
left blank, right bald


pgptJcry2Wo65.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FYI: Keysigning events at FOSDEM (Feb 8th) and Chemnitzer Linux-Tage (March 14th)

[markus reichelt]

* markus reichelt  wrote:

> PGP/GPG/CA Keysigning events on Sunday Feb 8th at FOSDEM in
> Brussels The exact time is yet to be announced, more info (in
> English) at http://fosdem.org/2009/keysigning
> 
> Deadline for key submission: Thursday Jan 29th, 8:00 PM CEST

This is just a friendly (and last) reminder that you can still
participate, just honour the deadline. More info about it all at

http://ksp.mdcc.cx/

Hope to see you there.

-- 
left blank, right bald


pgpOgKTx9mRiU.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

FYI: Keysigning events at FOSDEM (Feb 8th) and Chemnitzer Linux-Tage (March 14th)

[markus reichelt]

Hi,

for those interested in keysigning there are two upcoming events:

PGP/GPG/CA Keysigning events on Sunday Feb 8th at FOSDEM in Brussels
The exact time is yet to be announced, more info (in English) at
http://fosdem.org/2009/keysigning

Deadline for key submission: Thursday Jan 29th, 8:00 PM CEST



PGP/GPG Keysigning event on Saturday March 14th 18:00h at Chemnitz
Linux Days in ... Chemnitz.
More info (in German and English) is available at 
http://chemnitzer.linux-tage.de/2009/service/pgp_en.html

Deadline for key submission: Monday March 9th 


Thanks to the people organizing the events.

Hope to see you there...

-- 
left blank, right bald


pgpjWbhv17fSa.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

FYI: Keysigning at FROSCON 2008 in Bonn-Rhein-Sieg (August 23rd)

[markus reichelt]

Hi,


for those interested, there's going to be again a keysigning party at
FROSCON 2008 in Bonn-Rhein-Sieg (August 23rd):

http://ksp.froscon.org/


-- 
left blank, right bald


pgpvVe1LZ4gS3.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FYI: Keysigning at Linuxtag 2008 in Berlin (May 30th)

[Werner Koch]

On Wed, 16 Apr 2008 17:11, [EMAIL PROTECTED] said:

> http://wiki.linuxtag.net/w/Keysigning_2008

Please don't use this procedure - it just don't works.  Within a group
of cryptographers it is a nice protocol but not in the real world.

The procedure does not cope with the problem that people don't
understand what they have to do, don't have a pencil at hand, they need
to juggle with a long list a pencil and several passports.  Worst of all
there will be quit esome folks who pop up to late and want to get their
keys signed too.  Rejecting them is not an option and thus you need to
resort to the fingerprint slip method anyway.

The only pocedure which works is to ask the attendees to print there
fingerprint on paper slips in regular typewriter mode.  With two user
IDs this yields 10 slips per A4 page.  At the party you walk along all
other attendees, look at the passport etc and receive the paper slip if
you accept the identify.  For those who don't want to sign all user IDs,
they will porbably have a pencil and can cross-out the other user IDs.

That procedure is way faster than anything else, easy to explain, scales
well and can even handle those arriving too late or not properly
prepared.  It is also more like a party than that mumbling of numbers
without proper use of the ICAO phonetic alphabet.

At the last conference we had about 20 sending in their keys, 6 actually
attending, about 3 arriving too late and about 5 not having send in
their keys but carrying paper slips around.  Processing the 5 with the
paper slips was faster than those on the list.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

FYI: Keysigning at Linuxtag 2008 in Berlin (May 30th)

[markus reichelt]

Hi,


for those interested, there's going to be again a keysigning party at
Linuxtag 2008 in Berlin (May 30th):

http://wiki.linuxtag.net/w/Keysigning_2008


-- 
left blank, right bald


pgprFLK2anXpA.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keysigning request

[Neal Dudley]

Is there anyone in the Chicago area who would be willing and able to meet me to
sign my GPG key?  Yes, I have looked on Biglumber and contacted several people
from there.  Yes, I have searched for WoT groups in the area.  No, not one
person has met with me yet.  I will only be in Chicago for the next few days.

If you, or someone you know, is in the Chicago area and would be able to meet
with me to id me and sign my key, I would very much appreciate it.  Thank you
for your time.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keysigning request

[Neal Dudley]

Is there anyone in the Chicago area who would be willing and able to meet me
to sign my GPG key?  Yes, I have looked on Biglumber and contacted several
people from there.  Yes, I have searched for WoT groups in the area.

If you, or someone you know, is in the Chicago area and would be able to
meet with me to id me and sign my key, I would very much appreciate it.
Thank you for your time.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Atom Smasher wrote:
> pgp Key Signing Observations: Overlooked Social and Technical
> Considerations
> 
> 
> there's a few sections in that article that might be of interest.

Indeed, thank you Atom!  I'll pass this link along for more
information after my short talk.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Politicians are the same all over. They promise to build bridges even
when there are no rivers.
-- Nikita Khrushchev

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSzxCQmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1ritwCeL/ePib2q8dHR4C97Y123fmAHj7cAn2O5jfDf
eOZHarR6d6HWF8qYfYp6
=X0Vq
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Atom Smasher]

On Thu, 6 Jul 2006, Todd Zullinger wrote:

I was wondering if some folks here have detailed their challenge 
policies and procedures and if you'd mind sharing them if you have? Even 
handier would be some scripts to help in the automation of this task. 
;)

==

pgp Key Signing Observations: Overlooked Social and Technical 
Considerations 


there's a few sections in that article that might be of interest.


--
...atom

 
 http://atom.smasher.org/
 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
 -

"We in the West must bear in mind that the poor countries
 are poor primarily because we have exploited them through
 political or economic colonialism."
-- Martin Luther King, Jr



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Ingo Klöcker]

On Sunday 09 July 2006 06:27, Alphax wrote:
> Michael Kallas wrote:
> > David Shaw schrieb:
> >> I've been away on vacation and only picked up this thread now. 
> >> This statement is not correct.  Back in the PGP 2.x days, this
> >> might have been true, but with OpenPGP, there is no particular
> >> requirement that the ability to sign and the ability to decrypt
> >> are connected.  You can have a shared key with separate
> >> capabilities.
> >>
> >> Sending an signed key via encrypted mail does not ensure anything
> >> about the key owner.
> >
> > Why not?
> > Sorry, this conclusion was too fast for me, could you please
> > explain a little bit?

The key (i.e. the primary key) could belong to a group, but only one 
person of the group might be the key owner (i.e.  have full access to 
the key) or even no member of the group might be the key owner, but 
only a superior entity like the company's CA. Moreover, each member of 
the group could have a separate encryption subkey.

This example should explain why sending a signed key via encrypted mail 
doesn't ensure anything about the key owner.

Of course, with respect to keys belonging to real persons rather than to 
entities/companies/etc. this example is probably not that convincing.

> Suppose you send an email to Address W and encrypt an "authentication
> token" to Key X. You recieve a reply from Address Y, containing the
> authentication token, which has been signed with Key Z.
>
> This tells you that /someone/ with access to W has recieved a
> message; /someone/ with access to X has decrypted it; /someone/ with
> access to Z has signed a reply; and /someone/ with access to Y has
> sent a reply.

Except for the Y part this is correct. But the contents of the From 
address, i.e. Y, means absolutely nothing.

> Keys X and Z may or may not be the same key or subkeys of the same
> primary key, addresses W and Y may or may not be the same, and Y may
> or may not have been faked (which is trivial).

Exactly. And therefore you shouldn't have written above "and /someone/ 
with access to Y has sent a reply" because anyone could have sent the 
reply.

Regards,
Ingo


pgpTRUWqt0F0R.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Michael Kallas]

Hi,

Alphax schrieb:
> Suppose you send an email to Address W and encrypt an "authentication
> token" to Key X. You recieve a reply from Address Y, containing the
> authentication token, which has been signed with Key Z.
> 
> This tells you that /someone/ with access to W has recieved a message;
> /someone/ with access to X has decrypted it; /someone/ with access to Z
> has signed a reply; and /someone/ with access to Y has sent a reply.
> 
> Keys X and Z may or may not be the same key or subkeys of the same
> primary key, addresses W and Y may or may not be the same, and Y may or
> may not have been faked (which is trivial).
Couldn't I check this by looking at the public keys they published at
key servers?

Best wishes
Michael

-- 
Nobody can save your freedom but YOU -
become a fellow of the FSF Europe! http://www.fsfe.org/en


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Alphax]

Michael Kallas wrote:
> David Shaw schrieb:
>> I've been away on vacation and only picked up this thread now.  This
>> statement is not correct.  Back in the PGP 2.x days, this might have
>> been true, but with OpenPGP, there is no particular requirement that
>> the ability to sign and the ability to decrypt are connected.  You can
>> have a shared key with separate capabilities.
>>
>> Sending an signed key via encrypted mail does not ensure anything
>> about the key owner.
> Why not?
> Sorry, this conclusion was too fast for me, could you please explain a
> little bit?
> 

Suppose you send an email to Address W and encrypt an "authentication
token" to Key X. You recieve a reply from Address Y, containing the
authentication token, which has been signed with Key Z.

This tells you that /someone/ with access to W has recieved a message;
/someone/ with access to X has decrypted it; /someone/ with access to Z
has signed a reply; and /someone/ with access to Y has sent a reply.

Keys X and Z may or may not be the same key or subkeys of the same
primary key, addresses W and Y may or may not be the same, and Y may or
may not have been faked (which is trivial).

The "owners" of W, X, Y and Z could be four different people, or they
might not be people at all; all you can really say about the "key owner"
is that X is in contact with W and Z, and Z is in contact with X and Y.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Michael Kallas]

David Shaw schrieb:
> I've been away on vacation and only picked up this thread now.  This
> statement is not correct.  Back in the PGP 2.x days, this might have
> been true, but with OpenPGP, there is no particular requirement that
> the ability to sign and the ability to decrypt are connected.  You can
> have a shared key with separate capabilities.
> 
> Sending an signed key via encrypted mail does not ensure anything
> about the key owner.
Why not?
Sorry, this conclusion was too fast for me, could you please explain a
little bit?

Best wishes
Michael

-- 
Nobody can save your freedom but YOU -
become a fellow of the FSF Europe! http://www.fsfe.org/en


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi David,

David Shaw wrote:
> I've been away on vacation and only picked up this thread now.

Hope it was relaxing.  Welcome back seems like a negative thing to
say.  ;)

> This statement is not correct.  Back in the PGP 2.x days, this might
> have been true, but with OpenPGP, there is no particular requirement
> that the ability to sign and the ability to decrypt are connected.
> You can have a shared key with separate capabilities.
> 
> Sending an signed key via encrypted mail does not ensure anything
> about the key owner.

Marcus and Ingo have very been helpful in providing pretty specific
procedures that they've used (and documented) for key signing.  I've
read with interest the comments that you've made over the years as the
topic of keysigning has come up and I'd be very appreciative if you
could share a basic outline of the procedure you take or recommend.

As I alluded to at the start of this thread, I've been volunteered to
give a talk on the process and reason behind key signing at an
upcoming meeting of my local LUG.  I've been trying to find as many
different peoples policies and procedures as I can prior to my
presentation to a) refresh my memory and b) prepare for potential
questions on why one might use a particular method.

I highly respect the methods you've outlined on this list and I think
the members of my local LUG could benefit greatly from being exposed
to the policy/procedure for handling keys the come across at a key
signing party.

Thanks much for your efforts on GnuPG.  Like OpenSSH, it's one of the
applications that I use every single day and would have a hard time
living without.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Life is the art of drawing without an eraser.
-- John Gardner

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSvRTwmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1oIFACg1o1VlJkJc3qnus5D24wxs1+c+nMAnif/DXQB
GM8hQmMqt6RFQ6AxQObg
=yZQj
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[David Shaw]

On Fri, Jul 07, 2006 at 07:22:40PM +0200, Mark Kirchner wrote:
> On Friday, July 7, 2006, 11:19:47 AM, Marcus wrote:
> > * Todd Zullinger <[EMAIL PROTECTED]> wrote:
> >
> >> What I don't see in any of the links is more information about sending
> >> an email challenge before signing a key.  (My apologies if I'm
> >> overlooking it on your page or any of the others.)
> >
> > Before I used a protocol to signing keys where I sent out random strings
> > as challenge response but it's not worth. There is no enhanced security
> > and only more work for "signer" and "signee". If you send the signed UIDs
> > encrypted to each mail address separately it has the same effect in
> > security
> 
> I don't think that's true: Decryption is (usually) handled by the
> encryption subkey and there's absolutely no guarantee that this subkey
> is controlled by the same person as the primary/signing key. There may
> even be valid reasons to split the two "roles".
> 
> Since UIDs are attached to the primary key and the primary key is the
> only one that can modify UIDs (and signing a key is all about UIDs)
> this system can't prove what it's supposed to prove: The link between
> the UID (better: the e-mail-address in it) and the person in control
> of it.

This is exactly correct.  The "identity" (for lack of a better word)
is the primary+UID.  Since that is what you are signing when you sign
someone's key, that is what you should be verifying before you make
the signature.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Marcus Frings]

* Ingo Klöcker <[EMAIL PROTECTED]> wrote:
> On Friday 07 July 2006 17:09, Todd Zullinger wrote:

>> Have you found in practice that you don't run into many sign-only
>> keys that you are asked to certify?

> Among a few hundreds keys I've signed so far only a handful were 
> sign-only or certification-only keys. I did simply sign them with a 
> lower verification level.

Me, too. I just give these sign-only keys a level of 2 as explained in
my policy. I have been at several (large) keysigning parties and luckily
there are not so many sign-only keys around. I don't like them very much
but that's life ...

Regards,
Marcus
-- 
"Paranoia - das heißt doch nur, die Wirklichkeit
realistischer zu sehen als andere."


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[David Shaw]

On Fri, Jul 07, 2006 at 04:15:03PM -0400, Todd Zullinger wrote:
> Ingo Klöcker wrote:
> > On Friday 07 July 2006 17:09, Todd Zullinger wrote:
> [...]
> >> But that does mean that you can't get a signed key to someone if
> >> the key you've signed doesn't have any encryption capabilities,
> >> correct?
> > 
> > That's obviously correct. In this case you could give the key owner
> > a piece of paper with a random string and ask him to send it in a
> > signed message to your email address. Then you know that he can use
> > this key for signing messages. Obviously, you can't check the
> > validity of the email addresses belonging to this key (unless he's
> > got an encryption key you can use for checking the addresses).
> 
> Is it really necessary to encrypt the challenge?  If the key has
> encryption capabilities, I would do so, but if it was a sign only key
> and I could not do so, just what sort of attacks or weaknesses are
> there in sending the challenge in the clear?  I've seen David Shaw
> point out that it didn't gain you much.  I'm just trying to work
> through the possible scenarios so I have them clear in my mind before
> trying to present this to a larger group, who may well end up with
> questions on this that I'd like to have better answers for than I do
> now.

There is no harm (and no real benefit either) in sending the challenge
NOT in the clear.  Either way, you're proving the same thing: whether
the email address goes anywhere and whether someone who has access to
the email also has access to the key.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[David Shaw]

On Fri, Jul 07, 2006 at 08:39:37PM +0200, Ingo Klöcker wrote:
> On Friday 07 July 2006 17:09, Todd Zullinger wrote:
> > Marcus Frings wrote:
> > > * Todd Zullinger <[EMAIL PROTECTED]> wrote:
> > >> What I don't see in any of the links is more information about
> > >> sending an email challenge before signing a key.  (My apologies if
> > >> I'm overlooking it on your page or any of the others.)
> > >
> > > Before I used a protocol to signing keys where I sent out random
> > > strings as challenge response but it's not worth. There is no
> > > enhanced security and only more work for "signer" and "signee". If
> > > you send the signed UIDs encrypted to each mail address separately
> > > it has the same effect in security because if the mail address
> > > bounces or the person behind the address doesn't have the private
> > > key your signed UIDs won't become publicly available.
> >
> > But that does mean that you can't get a signed key to someone if the
> > key you've signed doesn't have any encryption capabilities, correct?
> 
> That's obviously correct. In this case you could give the key owner a 
> piece of paper with a random string and ask him to send it in a signed 
> message to your email address. Then you know that he can use this key 
> for signing messages. Obviously, you can't check the validity of the 
> email addresses belonging to this key (unless he's got an encryption 
> key you can use for checking the addresses).

Sure you can: just send the random string to the email address.  If
the person can return the string back to you, signed, then you know
that there is access to both the signing key and the email address.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[David Shaw]

On Fri, Jul 07, 2006 at 11:19:47AM +0200, Marcus Frings wrote:
> * Todd Zullinger <[EMAIL PROTECTED]> wrote:
> 
> > What I don't see in any of the links is more information about sending
> > an email challenge before signing a key.  (My apologies if I'm
> > overlooking it on your page or any of the others.)
> 
> Before I used a protocol to signing keys where I sent out random strings
> as challenge response but it's not worth. There is no enhanced security
> and only more work for "signer" and "signee". If you send the signed UIDs
> encrypted to each mail address separately it has the same effect in
> security because if the mail address bounces or the person behind the
> address doesn't have the private key your signed UIDs won't become
> publicly available.

I've been away on vacation and only picked up this thread now.  This
statement is not correct.  Back in the PGP 2.x days, this might have
been true, but with OpenPGP, there is no particular requirement that
the ability to sign and the ability to decrypt are connected.  You can
have a shared key with separate capabilities.

Sending an signed key via encrypted mail does not ensure anything
about the key owner.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ingo Klöcker wrote:
> On Friday 07 July 2006 16:56, Todd Zullinger wrote:
[...]
>> Could you elaborate a little on the procedure you use to generate the
>> challenges?  I'd love to have some examples of how other folks do
>> things to present to my fellow LUG members.
> 
> My script does the following:
> For each key id that's given on the command line it first determines all 
> UIDs which are neither revoked nor expired nor have already been signed 
> by me. Then for each UID a random string is generated. I use the 
> command 
>   head -c 18 /dev/urandom | mimencode
> for this. (mimencode is part of metamail.) This challenge and the key id 
> and the UID are then inserted into a text explaining what the receiver 
> of the challenge has to do. This text is then encrypted with the key 
> corresponding to the key id. The encrypted text is then prepended with 
> another text explaining what the encrypted text is about. Finally the 
> resulting text is given to KMail together with the email address 
> (==UID). Now I only have to click on the Send button in KMail to send 
> the message.

Thank you much for this.

> (I could make KMail automatically send the messages, but I prefer to
> have a last look at them before I send them in order to check that
> everything worked correctly.)

Yeah, I understand that perfectly.  Too much automation can bite you
when you least expect it. :)

> I've attached the script.

And thank you very much for this!  It'll be very handy to have
something concrete to point others to for an example.  Between that
and the caff script in pgp-tools I've now got two nice perl examples
my fellow LUG members can check out and use or adapt.

>> Of course, but they can't sign it with the key I've been asked to
>> sign and which I verified from the key fingerprint and other owner
>> details, unless they are the proper owner of that key.
> 
> Yes, they can if it was them who asked you to sign their key. For
> example, I could create a key with my name and your email address,
> go to a key signing party and make everybody sign the fake user id.
> And if I can intercept your mail then I can even reply to
> challenges.

But if you do this, then even encrypting the challenge wouldn't help,
as I'd be encrypting it to the key you presented to me.  It seems that
this is a problem outside the scope of what the challenge will solve.

Or am I missing something?  (I've been busy all morning fixing some
plumbing, so my mind isn't as sharp as usual -- not that I'm the
sharpest tool in the shed on a good day. ;)

Many thanks to you for indulging my questions and posting your
procedures and script!

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Going to hell when I die would just be redundant.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSuxUwmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qNPgCgs7ZSgz8W6nxwl3MdwL1N5WVKwckAnig/ITip
qc3hM02PxYoEwJxQzPa+
=aKEB
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ingo Klöcker wrote:
> On Friday 07 July 2006 17:09, Todd Zullinger wrote:
[...]
>> But that does mean that you can't get a signed key to someone if
>> the key you've signed doesn't have any encryption capabilities,
>> correct?
> 
> That's obviously correct. In this case you could give the key owner
> a piece of paper with a random string and ask him to send it in a
> signed message to your email address. Then you know that he can use
> this key for signing messages. Obviously, you can't check the
> validity of the email addresses belonging to this key (unless he's
> got an encryption key you can use for checking the addresses).

Is it really necessary to encrypt the challenge?  If the key has
encryption capabilities, I would do so, but if it was a sign only key
and I could not do so, just what sort of attacks or weaknesses are
there in sending the challenge in the clear?  I've seen David Shaw
point out that it didn't gain you much.  I'm just trying to work
through the possible scenarios so I have them clear in my mind before
trying to present this to a larger group, who may well end up with
questions on this that I'd like to have better answers for than I do
now.

>> Have you found in practice that you don't run into many sign-only
>> keys that you are asked to certify?
> 
> Among a few hundreds keys I've signed so far only a handful were
> sign-only or certification-only keys. I did simply sign them with a
> lower verification level.

Okay.  I would have guessed that you probably wouldn't run into
terribly many keys like this, but thank you for giving some practical
experience to support this.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
...unfortunately, we can't control the actions of everyone.
-- Bill Clinton, April 20, 1993

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSuwMcmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1ogLQCfdgI3cZPmG30R7Ho9S6wERT1Bf0MAoJnW40cG
UqfQ+iNwqQUwaDyhHVFH
=gsl0
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Ingo Klöcker]

On Friday 07 July 2006 17:09, Todd Zullinger wrote:
> Marcus Frings wrote:
> > * Todd Zullinger <[EMAIL PROTECTED]> wrote:
> >> What I don't see in any of the links is more information about
> >> sending an email challenge before signing a key.  (My apologies if
> >> I'm overlooking it on your page or any of the others.)
> >
> > Before I used a protocol to signing keys where I sent out random
> > strings as challenge response but it's not worth. There is no
> > enhanced security and only more work for "signer" and "signee". If
> > you send the signed UIDs encrypted to each mail address separately
> > it has the same effect in security because if the mail address
> > bounces or the person behind the address doesn't have the private
> > key your signed UIDs won't become publicly available.
>
> But that does mean that you can't get a signed key to someone if the
> key you've signed doesn't have any encryption capabilities, correct?

That's obviously correct. In this case you could give the key owner a 
piece of paper with a random string and ask him to send it in a signed 
message to your email address. Then you know that he can use this key 
for signing messages. Obviously, you can't check the validity of the 
email addresses belonging to this key (unless he's got an encryption 
key you can use for checking the addresses).

But in case of a certification-only key even that won't work.

> Unless, of course, you have told the signee that they must provide
> you with a key which they wish to have the signed keys encrypted to.
>
> Have you found in practice that you don't run into many sign-only
> keys that you are asked to certify?

Among a few hundreds keys I've signed so far only a handful were 
sign-only or certification-only keys. I did simply sign them with a 
lower verification level.

Regards,
Ingo


pgpgallYqWFGA.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Ingo Klöcker]

On Friday 07 July 2006 16:56, Todd Zullinger wrote:
> Ingo Klöcker wrote:
> > I haven't used it myself because I'm using a self-written script
> > for creating challenges with KMail.
>
> Could you elaborate a little on the procedure you use to generate the
> challenges?  I'd love to have some examples of how other folks do
> things to present to my fellow LUG members.

My script does the following:
For each key id that's given on the command line it first determines all 
UIDs which are neither revoked nor expired nor have already been signed 
by me. Then for each UID a random string is generated. I use the 
command 
  head -c 18 /dev/urandom | mimencode
for this. (mimencode is part of metamail.) This challenge and the key id 
and the UID are then inserted into a text explaining what the receiver 
of the challenge has to do. This text is then encrypted with the key 
corresponding to the key id. The encrypted text is then prepended with 
another text explaining what the encrypted text is about. Finally the 
resulting text is given to KMail together with the email address 
(==UID). Now I only have to click on the Send button in KMail to send 
the message. (I could make KMail automatically send the messages, but I 
prefer to have a last look at them before I send them in order to check 
that everything worked correctly.)

I've attached the script.

> >> Isn't it a good thing to send some random data to each UID on the
> >> key someone wishes you to sign and require that they send back
> >> that data signed by the key to prove they control both the key and
> >> the email address in the UID?
> >
> > Where "control the email address" is different from "is the owner
> > of the email address". Anybody between you and the owner of the
> > email address can intercept the challenge, sign it and send it back
> > to you.
>
> Of course, but they can't sign it with the key I've been asked to
> sign and which I verified from the key fingerprint and other owner
> details, unless they are the proper owner of that key.

Yes, they can if it was them who asked you to sign their key. For 
example, I could create a key with my name and your email address, go 
to a key signing party and make everybody sign the fake user id. And if 
I can intercept your mail then I can even reply to challenges. Of 
course, such an "attack" probably doesn't make much sense because for 
what purpose should I want to make someone believe I have an email 
address I do in fact not own (but which I can intercept).

Regards,
Ingo


send-challenge-v1.1.pl
Description: Perl program


pgpDyeYJuFQ2o.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Mark Kirchner]

On Friday, July 7, 2006, 11:19:47 AM, Marcus wrote:
> * Todd Zullinger <[EMAIL PROTECTED]> wrote:
>
>> What I don't see in any of the links is more information about sending
>> an email challenge before signing a key.  (My apologies if I'm
>> overlooking it on your page or any of the others.)
>
> Before I used a protocol to signing keys where I sent out random strings
> as challenge response but it's not worth. There is no enhanced security
> and only more work for "signer" and "signee". If you send the signed UIDs
> encrypted to each mail address separately it has the same effect in
> security

I don't think that's true: Decryption is (usually) handled by the
encryption subkey and there's absolutely no guarantee that this subkey
is controlled by the same person as the primary/signing key. There may
even be valid reasons to split the two "roles".

Since UIDs are attached to the primary key and the primary key is the
only one that can modify UIDs (and signing a key is all about UIDs)
this system can't prove what it's supposed to prove: The link between
the UID (better: the e-mail-address in it) and the person in control
of it.

Regards,
Mark Kirchner

-- 
_
Key (0x172C073C): http://www.mark-kirchner.de/keys/key-mk.asc

pgpPS4gfqXjf1.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Marcus Frings wrote:
> * Todd Zullinger <[EMAIL PROTECTED]> wrote:
> 
>> What I don't see in any of the links is more information about
>> sending an email challenge before signing a key.  (My apologies if
>> I'm overlooking it on your page or any of the others.)
> 
> Before I used a protocol to signing keys where I sent out random
> strings as challenge response but it's not worth. There is no
> enhanced security and only more work for "signer" and "signee". If
> you send the signed UIDs encrypted to each mail address separately
> it has the same effect in security because if the mail address
> bounces or the person behind the address doesn't have the private
> key your signed UIDs won't become publicly available.

But that does mean that you can't get a signed key to someone if the
key you've signed doesn't have any encryption capabilities, correct?
Unless, of course, you have told the signee that they must provide you
with a key which they wish to have the signed keys encrypted to.

Have you found in practice that you don't run into many sign-only
keys that you are asked to certify?

> There are some scripts around but don't use CA-Bot as Ingo
> suggested. As he has already said it has problems with so-called
> sign-only-keys and it sends out broken mails. caff, from the same
> author, handles these keys much better. It can be downloaded from
> the third link I mentioned. Besides it is already available in
> Debian and FreeBSD.

Thanks, I'll look closer at caff.  I didn't pull down the package and
play with it yet.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
You're not drunk if you can lie on the floor without holding on.
-- Dean Martin

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSueUMmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1pmfwCg+sxhZadaXGAJYLU/7yBAT/1XIq0An2UnRecE
3bNFigiZqvEXMotWpR5z
=09Wl
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ingo Klöcker wrote:
> Try CA-Bot (http://cabot.alioth.debian.org/).

Thanks Ingo.

> I haven't used it myself because I'm using a self-written script for
> creating challenges with KMail.

Could you elaborate a little on the procedure you use to generate the
challenges?  I'd love to have some examples of how other folks do
things to present to my fellow LUG members.

> But I've been sent a few challenges generated by CA-Bot. Last time I
> received such a message, it said (at least IIRC) that CA-Bot
> couldn't handle signed and/or encrypted replies. So using CA-Bot you
> can only check whether the person you send the challenge to can
> decrypt the challenge, but you can't check whether he also controls
> the signing key.

That's unfortunate, since the signature is more important than the
decryption, AFAIAC.  I'll take a look and see if CA-bot can't be
useful as a starting point for some scripts of my own.

>> Isn't it a good thing to send some random data to each UID on the
>> key someone wishes you to sign and require that they send back that
>> data signed by the key to prove they control both the key and the
>> email address in the UID?
> 
> Where "control the email address" is different from "is the owner of
> the email address". Anybody between you and the owner of the email
> address can intercept the challenge, sign it and send it back to
> you.

Of course, but they can't sign it with the key I've been asked to sign
and which I verified from the key fingerprint and other owner details,
unless they are the proper owner of that key.

> This is especially a problem with email addresses which don't
> contain the name, but just some random alias, nickname or whatever.
> [EMAIL PROTECTED] could be anyone's email address.

Right.  But if we met in person and I showed you acceptable ID,
provided you with the key fingerprint and other key data, then
returned a challenge from you signed using the key matching the
fingerprint that you verified in our meeting, you know that I am in
control of the key and that I can get mail at [EMAIL PROTECTED]
Obviously, others can read mail there too and that's why I'm using GPG
to ensure that I'm the only one that will be able to decipher mail
sent to that address and generate verifiable email from that address.

Thanks,

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
You will never find time for anything.  If you want time you must make
it.
-- Charles Buxton

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSudgomGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qhDQCg113UiRsz5aUYeNGvRWOQdOHRzT0AnAnXloPp
xhBU91pupwwlzXFTFOjm
=xk6i
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Marcus Frings]

* Todd Zullinger <[EMAIL PROTECTED]> wrote:

> What I don't see in any of the links is more information about sending
> an email challenge before signing a key.  (My apologies if I'm
> overlooking it on your page or any of the others.)

Before I used a protocol to signing keys where I sent out random strings
as challenge response but it's not worth. There is no enhanced security
and only more work for "signer" and "signee". If you send the signed UIDs
encrypted to each mail address separately it has the same effect in
security because if the mail address bounces or the person behind the
address doesn't have the private key your signed UIDs won't become
publicly available.

> It's been discussed here before but I've not found any scripts or good
> details that I could point my fellow LUG members toward.  Isn't it a
> good thing to send some random data to each UID on the key someone
> wishes you to sign and require that they send back that data signed by
> the key to prove they control both the key and the email address in
> the UID?

There are some scripts around but don't use CA-Bot as Ingo suggested. As
he has already said it has problems with so-called sign-only-keys and it
sends out broken mails. caff, from the same author, handles these keys
much better. It can be downloaded from the third link I
mentioned. Besides it is already available in Debian and FreeBSD.

Regards,
Marcus
-- 
"This elevator serves me alone. I have complete control over
this entire level. With cameras as my eyes and nodes as my
hands, I rule here, insect."
 (Shodan in System Shock)


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Ingo Klöcker]

Am Freitag, 7. Juli 2006 06:31 schrieb Todd Zullinger:
> What I don't see in any of the links is more information about
> sending an email challenge before signing a key.  (My apologies if
> I'm overlooking it on your page or any of the others.)
>
> It's been discussed here before but I've not found any scripts or
> good details that I could point my fellow LUG members toward.

Try CA-Bot (http://cabot.alioth.debian.org/). I haven't used it myself 
because I'm using a self-written script for creating challenges with 
KMail. But I've been sent a few challenges generated by CA-Bot. Last 
time I received such a message, it said (at least IIRC) that CA-Bot 
couldn't handle signed and/or encrypted replies. So using CA-Bot you 
can only check whether the person you send the challenge to can decrypt 
the challenge, but you can't check whether he also controls the signing 
key.

> Isn't 
> it a good thing to send some random data to each UID on the key
> someone wishes you to sign and require that they send back that data
> signed by the key to prove they control both the key and the email
> address in the UID?

Where "control the email address" is different from "is the owner of the 
email address". Anybody between you and the owner of the email address 
can intercept the challenge, sign it and send it back to you. This is 
especially a problem with email addresses which don't contain the name, 
but just some random alias, nickname or whatever. [EMAIL PROTECTED] could 
be anyone's email address.

Regards,
Ingo


pgpTNG1L4YMPx.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Marcus Frings wrote:
> * Todd Zullinger <[EMAIL PROTECTED]> wrote:
> 
>> I was wondering if some folks here have detailed their challenge
>> policies and procedures and if you'd mind sharing them if you have?
>> Even handier would be some scripts to help in the automation of this
>> task.  ;)
> 
> http://www.sc-delphin-eschweiler.de/pgp/
> http://sion.quickie.net/keysigning.txt
> http://pgp-tools.alioth.debian.org/

Thank you Marcus.  I had actually found your page while doing some
research and read it.  Very nicely outlined.  Thank you for sharing it
with the world.

I believe that we will be using the method outlined in Len Sassaman's
and Phil Zimmermann's paper from above.  This too I had read while
researching this earlier.  (It's good to know I've run across some of
the same info you recommend. :)

What I don't see in any of the links is more information about sending
an email challenge before signing a key.  (My apologies if I'm
overlooking it on your page or any of the others.)

It's been discussed here before but I've not found any scripts or good
details that I could point my fellow LUG members toward.  Isn't it a
good thing to send some random data to each UID on the key someone
wishes you to sign and require that they send back that data signed by
the key to prove they control both the key and the email address in
the UID?

Many thanks for the helpful information,

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Money can't buy happiness, but it sure makes living in misery easier.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSt44gmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qEygCbBVGaCdjOa7MJ9gjkdRphpmz/Rx8AoO7Fh4Zd
/pIdv/NHTQTTvue9nY2r
=O8C/
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users