[FOSDEM] Using biglumber services for the gpg Key signing party ?

jeroen De Dauw jeroen_dedauw at yahoo.com
Mon Aug 24 10:56:25 CEST 2009


Hey,

Can someone explain what the purpose of the Key signing party is, or provide a reference to some helpful docs?

 
Cheers,
Jeroen De Dauw

 
Forum: code.bn2vs.com
Blog: blog.bn2vs.com

Skype: rts.bn.vs  ; Xfire: bn2vs

Don't panic. Don't be evil.
70 72 6F 67 72 61 6D 6D 69 6E 67 20 34 20 6C 69 66 65!





________________________________
From: Wouter Verhelst <wouter at debian.org>
To: FOSDEM visitors <fosdem at lists.fosdem.org>
Sent: Monday, August 24, 2009 10:09:05 AM
Subject: Re: [FOSDEM] Using biglumber services for the gpg Key signing party ?

On Mon, Aug 24, 2009 at 09:09:39AM +0200, Ludovic Hirlimann wrote:
> With this most of the technical parts for the organization is solved.
> 
> In order to add your key to the key ring users need to register on
> biglumber which some of the attendees might object. But the good news
> about having to register is that people then can use the biglumber
> escrow service - meaning that their signature will only be released and
> updated - only when both person that have signed have uploaded. This
> part of the process make the aftermath a bit longer but insures that key
> signing will be symetric.

Just one question: why?

Sure, it's a pity if some keys are not cross-signed. But it's not fatal
either, is it?

There are a few problems with your proposal:
- One of the things you're supposed to do when signing someone's key is
  checking that the email addresses on the key actually belong to the
  person owning the key. I usually do this by way of the 'caff' script,
  which signs the key, then encrypts it to the owner's mail address, and
  sends the encrypted signature off. Using such an escrow service would
  probably make this quite a bit harder, if not impossible.
- It requires people to jump through hoops in order to sign keys. That's
  never a good thing, because signing keys is boring, and you want
  people to be able to do things the way they usually do, rather than
  the particular way this particular key signing party requires you to.
  Otherwise they're likely to postpone it until they forget.
- On the subject of forgetting: receiving key signatures is an excellent
  way to remember that you have to sign them. Having an escrow service
  takes that away.

Of course, I stopped doing key signing parties (my key is well-connected
now anyway), so feel free to disregard anything I said.

-- 
The biometric identification system at the gates of the CIA headquarters
works because there's a guard with a large gun making sure no one is
trying to fool the system.
  http://www.schneier.com/blog/archives/2009/01/biometrics.html


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fosdem.org/pipermail/fosdem/attachments/20090824/b45c18d8/attachment.html>


More information about the FOSDEM mailing list