Well ... the response in Orlando was lack-lustre, but we'll keep trying.
I suspect that when some of us mention PGP others think "email", and
that's not the case. (With respect to the ZTRUST project, it's not about
email /at all/.)
The ZTRUST effort is aimed at two objectives: education and community
trust.
For the latter, the purpose is to provide a "trust anchor" which is
available for those ware which fall outside the usual PKI/CA space. Some
of the verification methods which ZTRUST endorses are also demonstrably
easier (than the standard CA/PKI methods).
In the open source world, producers have been using PGP to sign
deliverables for years.
I ZTRUST, we extend that and sign PKI root certs with PGP.
Maybe there should be a "ztrust" channel on Discord.
-- R; <><
On 2/23/26 9:31 AM, Rick Troth wrote:
howdy friends --
Those of us working on the ZTRUST project would benefit from a growing
Z community "web of trust".
If any of you at SHARE this week have your own PGP key pair, look for
opportunities to do in-person key exchange.
The in-person part should involve a printed copy of your key
fingerprint(s). We're talking paper. You'll exchange the electronic
copy of their public key via other means. (Keep it simple. Email is
one way.) But have the printed form so that the other party can be
sure they got your actual fingerprint and not something doctored by a
man-in-the-middle. (Paper is good for that, even in 2026.)
When you learn that a colleague at the conference also does PGP, give
them your printed fingerprint sheet. (Could be something like a
business card. Remember those?) If you don't know the other person
well, ask for a government-issued photo ID. (This is *not* rude. It's
completely appropriate. It's okay even if you DO know them well.)
Later, back at your hotel room with your own laptop, get their key
(electronic form), confirm the fingerprint, sign their key, extract
it, and return it to them. (Keep it simple. Email is one way. Is there
an echo in here?)
In years past, we would have a "PGP key signing party" to do all of
this. It's loads of fun for cryptography nerds, but kinda time
consuming when you've got like 87 other sessions to attend.
The purpose of the ZTRUST project is to establish a _trust anchor for
the Z community_. This is especially vital in the current climate of
code signing concerns. PGP keys form the basis of peer-to-peer trust.
We can cryptographically sign deliverables with recognized PGP keys.
We can also sign PKI root certificates in support of the PKI-means of
code signing. The whole thing provides assurance of veracity of those
wares which are provided by volunteer contributors (CBT tape, VM
Workshop tape, and countless more).
--
-- R; <><
--
-- R; <><
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
