[kwlug-disc] Generating and using PGP keys

Bob Jonkman bjonkman at sobac.com
Sun Feb 22 23:36:17 EST 2009 

On 19 Feb 2009 at 19:19 Chris Frey  wrote about "Re: [kwlug-disc] 
Generating and using PGP keys[...]"  

>The keysigning party howto is probably the best on this topic.
>As for what to bring, I'd recommend:
>
> - some kind of ID with your name on it... preferrably a photo ID
>  Some people want two forms of ID, but that depends on
>  the person doing the signing.  

No no no.  The point of a keysigning party is to establish a web of 
trust between peers.  Relying on a "form of ID" transfers that trust 
to the issuer of the ID. In the case of a driver's license or a 
passport you trust the government to establish the identity of the 
person whose key you're signing, rather than the web of trust.

>For me, I already know you, so I'd just want to make sure you
>haven't been using an alias all this time. :-) 

Yes yes yes.  Chris verifies Brent, Richard verifies chris, I verify 
Richard, and so on. It's based on personal knowledge of each other. 
Some people will be better connected than others -- those are the 
people whose key signature is highly sought after.


>I'd just want to make sure you haven't been using an alias all
>this time. :-) 

Exactly. Rather than trying to establish an absolute identity, the 
purpose is to associate a particular key with a particular individual 
in meatspace[1], regardless of what they call themselves.

Good keysigning party guidelines are at 

  http://dl.central.org/dl/ietf-pgp/ietf72/announce-72  

That announcement is from July 2008, based on PGP documentation from 
1996 (when I started using it). Over the  last 13 years those 
instructions have been posted elsewhere, but have been contaminated 
with "...and bring photo ID to confirm your identity."


GPG isn't only for e-mail.  Anything that needs to  be verified or 
non-repudiable can be digitally signed (tax returns, invoices, love 
letters).  Anything that needs to be kept secret or private can be 
encrypted (love letters, hit lists, source code (ack!)).

GPG has not reached a critical mass. I used to go to the Toronto 
Cypherpunk keysigning parties, but after a while attendance dropped. 
Even members from Cypherpunks aren't using signed e-mail as much as 
they used to.   The TO CP also became somewhat commercial, when some 
participants wanted to become rich by being Thawte Freemail Digital 
Notaries.  <Sigh>  Money is icky and destroyed the Toronto 
Cypherpunks.

Today, I find TrueCrypt to be a far simpler means for me to keep my 
documents secure, and I've largely given up on digitally signed e-
mail.

--Bob.

[1] How meatspace is viewed from afar: 
http://www.andrewsharpe.com/humor/meat.html

More information about the kwlug-disc mailing list