[ale] Seeing if there's any interest

Jeremy T. Bouse jeremy.bouse at undergrid.net
Sat Oct 9 23:15:38 EDT 2010


On 10/09/2010 06:09 AM, Paul Cartwright wrote:
> On Fri October 8 2010, Jeremy T. Bouse wrote:
>>         Actually you wouldn't want to have your key at a signing party to
>> actually sign a key there. I actually will not sign someone's key if I
>> find them actually signing the key at a key signing party.
> 
> well, you'll have to pardon my ignorance, I've never been to a signing party..
> I DID trade keys once with a guy who was in Athens for a seminar. We met & 
> traded ID's & emails.. I think I figured out how to send him my key & vice 
> versa.. He was from Europe, Sweden I think it was.. So my key has been signed 
> once.. My wife couldn't understand WHY we were meeting this guy & trading 
> drivers licenses..
> 

Paul,

	Standard good practice at a key signing is to exchange key ID and
fingerprint and verify identity only and then go back privately and sign
keys later. Many people, like myself, have a much more stringent policy
on signing keys.

	For me as signing a key is me saying I've verified who they are and
would vouch for their key prefer to see 2 forms of ID with at least one
being a gov't issued with photo. I also sign each UID on the key and
send the signed key to that UID encrypted to the email address tied to
it. I do not upload the signed key back to the key server directly that
is the recipient's responsibility if they want the signature added after
they've decrypted the email containing it. This then verifies they 1)
receive email at that address, 2) have possession of the private key and
3) have the correct passphrase for the key. I also embed a key policy
URL in with the signature that points back to my published key usage
document along with checksum of the policy doc.

	My wife doesn't quite understand it all either though she went with me
when I met up with Peter Palfrader whose key is ranked #1 in the global
Web of Trust and ranked 11th in the Debian keyring. Then went around
Linux World Expo finding anyone who had a key and necessary
identification and wanted to exchange signatures. Currently my Debian
key is ranked 1030th globally and 428th within Debian.

http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html

http://people.debian.org/~weasel/weboftrust/debian/20100202/output/msd-sorted.html

http://undergrid.net/legal/gpg/policy/20091121


More information about the Ale mailing list