[Cryptography] PGP Key Signing parties

Joe Abley jabley at hopcount.ca
Fri Oct 11 14:08:23 EDT 2013


On 2013-10-11, at 07:03, Tony Naggs <tonynaggs at gmail.com> wrote:

> On 10 October 2013 22:31, John Gilmore <gnu at toad.com> wrote:
>>> Does PGP have any particular support for key signing parties built in or is
>>> this just something that has grown up as a practice of use?
>> 
>> It's just a practice.  I agree that building a small amount of automation
>> for key signing parties would improve the web of trust.
> 
> Do key signing parties even happen much anymore? The last time I saw
> one advertised was around PGP 2.6!

The most recent key signing party I attended was five days ago (DNS-OARC meeting in Phoenix, AZ). I commonly have half a dozen opportunities to participate in key signing parties during a typical year's travel schedule to workshops, conferences and other meetings. This is not uncommon in the circles I work in (netops, dnsops).

My habit before signing anything is generally at least to have had a conversation with someone, observed their interactions with people I do know (I generally have worked with other people at the party). I'll check government-issued IDs, but I'm aware that I am not an expert in counterfeit passports and I never feel like that I am able to do a good job at it.

(I showed up to a key signing party at the IETF once with a New Zealand passport, a Canadian passport, a British passport, an expired Canadian permanent-resident card, three driving licences and a Canadian health card, and offered the bundle to anybody who cared to review them to make this easier for others. But that was mainly showing off.)

I have used key ceremonies to poison edges and nodes in the graph of trust following observations that particular individuals don't do a good enough job of this, or that (in some cases) they appear to have made signatures at an event where I was present and I know they were not. That's a useful adjunct to a key ceremony (I think) that many people ignore. The web of trust can also be a useful web of distrust.


Joe



More information about the cryptography mailing list