Excerpts from Thomas Goirand's message of 2014-03-29 23:32:55 -0700: > On 03/30/2014 10:00 AM, Mark Atwood wrote: > > Hi! > > > > Are there plans for a PGP keysigning party at the Juno Summit in > > Atlanta, similar to the one at the Icehouse summit in Hong Kong? > > > > Inspired by the URL at > > https://wiki.openstack.org/wiki/OpenPGP_Web_of_Trust/Icehouse_Summit > > I looked for > > https://wiki.openstack.org/wiki/OpenPGP_Web_of_Trust/Juno_Summit > > to discover that that wiki page does not yet exist and I do not have > > permission to create it. > > > > ..m > > If there's none, then we should do one. > > One thing about last key signing party, is that I didn't really like the > photocopy method. IMO, it'd be much much nicer to use a file, posted > somewhere, containing all participant fingerprints. To check for that > file validity, together, we check for its sha256 sum (someone say it out > loud, while everyone is checking for its own copy). And everyone, > individually, checks for its own PGP fingerprint inside the file. Then > we just need to validate entries in this file (with matching ID documents). > > Otherwise, there's the question of the trustability of the photocopy > machine and such... Not that I don't trust Jimmy (I do...)! :) >
If we follow either of these methods: http://keysigning.org/methods/sassaman-efficient http://keysigning.org/methods/sassaman-projected Then everyone should bring their own copy of the file. Note that this implies that one is using their own trusted equipment to do this or verifying painfully that nothing has been altered during that process. So it is important that we socialize this and have people ready _before_ the summit, so they can print at home. The point is, users should still _print it themselves_ to avoid a mass compromise of the key signing process at the time of duplication/printing. Now, having somebody else print the lists is fine as long as you have key owners look at your copy and verify the fingerprint on your list. This is _extremely_ inefficient compared to the Sassaman Efficient protocol, but it works o-k for small groups, as the person can verify your list while you're verifying their government ids, and you can do the same for them. I would suggest making these photocopies on an odd color of paper so that key owners can know to ask for the list to verify it, rather than letting unknowing lazy signers get away with trusting the photocopy. > Plus having a text file with all fingerprints in it is more convenient: > you can just cut/past the whole fingerprint and do gpg --recv-keys at > once (and not just the key ID, which is unsafe because prone to > brute-force). That file can be posted anywhere, provided that we check > for its sha256 sum. > > I would happily organize this, if someone can find a *quite* room with > decent network. Who can take care of the place and time? > There is zero network necessary for the party. In fact it is sort of discouraged, as having network would distract from the single-minded and very social purpose of the party. Or are you requesting a room to do the list creation? > Of course, We will need need the fingerprints of every participant in > advance, so the wiki page would be useful as well. I therefore created > the wiki page: > https://wiki.openstack.org/wiki/OpenPGP_Web_of_Trust/Juno_Summit > Thanks!! > Please add yourself. We'll see if I can make it to Atlanta, and organize > something later on. > Done. I'm happy to pick up facilitation of this process if you can't make it. > Cheers, > > Thomas Goirand (zigo) > _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
