> Does PGP have any particular support for key signing parties built in or is
> this just something that has grown up as a practice of use?

It's just a practice.  I agree that building a small amount of automation
for key signing parties would improve the web of trust.

I have started on a prototype that would automate small key signing
parties (as small as 2 people, as large as a few dozen) where everyone
present has a computer or phone that is on the same wired or wireless

> I am specifically thinking of ways that key signing parties might be made
> scalable so that it was possible for hundreds of thousands of people...

An important user experience point is that we should be teaching GPG
users to only sign the keys of people who they personally know.
Having a signature that says, "This person attended the RSA conference
in October 2013" is not particularly useful.  (Such a signature could
be generated by the conference organizers themselves, if they wanted
to.)  Since the conference organizers -- and most other attendees --
don't know what an attendee's real identity is, their signature on
that identity is worthless anyway.

So, if I participate in a key signing party with a dozen people, but I
only personally know four of them, I will only sign the keys of those
four.  I may have learned a public key for each of the dozen, but that
is separate from me signing those keys.  Signing them would assert to
any stranger that "I know that this key belongs to this identity", which
would be false and would undermine the strength of the web of trust.


The cryptography mailing list

Reply via email to