This site is now 100% read-only, and retired.

Meeting people for keysigning - using Biglumber

Posted by chris on Tue 28 Nov 2006 at 07:20

You've set up gpg and can now use it for signing and encryption - but how to go about getting your key signed so that you are not only relying on the web of trust?

However - there are services available that allow you to organise meets with other people from your area - or when travelling.

Here we'll look at one of them - Biglumber.

Preparation

First - we need to prepare. When meeting - you will need to be able to provide information on your key as well as a mutually agreed proof of identity (hint - its a real help if you remember that the proof of ID should relate to the key in some way. There's no point me turning up with our illustrious webmaster Steve's key and proof that I'm Chris!).

Some people write out the key details - but - the debian project has a utility to help its users at keysigning events. This is just as useful for us as normal debian users.

Lets install the signing-party package.

aptitude install signing-party

This will provide us with the gpg-key2ps binary.

For example - using my key:

gpg-key2ps 224A5434 > chris.ps

If you want this as pdf instead - you can use the ps2pdf binary from the gs-common package (at least - thats where I find it on my unstable box)

This will provide you with a page full of small notes - each with all the key details you want.

Registration at Biglumber

Head on over to www.biglumber.com and hit the "Add your key" link. You can either export your key as guided - and paste it in - or - if it is already on a keyserver - just give the ID. This will cause the site to send you an encrypted mail with login details. Note - this will send the mail to the e-mail address for the key.

When the mail arrives - decrypt it to get the password. Then head to the login link at biglumber and login.

Biglumber have four types of entry - personal (permanent), personal (temporary - used for e.g. visiting an area), event (permanent - that is - recurring), event (one-time).

So - add your details - and check any others from your area - send them a mail - and organise a meet :) Remember when you head off to take:

  • Your key details
  • Your proof of ID
  • Details of where and when to meet
  • And - if the key contained an image - perhaps that will help you recognise the other party :)

A matter of courtesy - when you've got home - and the key details you've been given to check all check out - sign the public key of the other party and send it to them - don't leave them waiting weeks for it.

You could also choose to use biglumbers key exchange - you both agree to add the signed key to that server using the key exchange page and it will only deliver the signed keys to each party when both have delivered.

You can get biglumber to mail you of new keys, or there is a general mailing list or an RSS feed. When travelling - you can just hop on to the site and check your destination.

As a side note - even if you're not a biglumber member - if you're in Oslo or heading there on a visit - you're welcome to mail me and ask to meet up for a key exchange - just grab my key from a keyserver (224A5434) and send me a signed mail :) We can take it from there.

More info on this topic:

 

 


Re: Meeting people for keysigning - using Biglumber
Posted by fsateler (200.83.xx.xx) on Wed 29 Nov 2006 at 15:35
[ View Weblogs ]
Doesn't it beat the point of keysigning to sign some random guy's key?

--------
Felipe Sateler

[ Parent ]

Re: Meeting people for keysigning - using Biglumber
Posted by Steve (80.68.xx.xx) on Wed 29 Nov 2006 at 16:11
[ View Weblogs ]

But you would only actually sign if you'd validated the other person against appropriate ID - at which point they wouldn't be a "random person".

For example people sometimes mail me randomly to tell me they've signed my key and asking me to do the same in return - I would never do that without seeing a good form of ID and meeting them in person.

I want to sign more keys, but I'm only going to do it "properly". Biglumber (and similar listing sites) help in that respect because the goal is to get people face-to-face to exchange ID and only then do the signing.

Steve

[ Parent ]

Authenticating ID documents is the issue.
Posted by reluctant (65.78.xx.xx) on Thu 30 Nov 2006 at 22:50
Authenticating ID documents is problematic. For example, I'd have no idea what most out-of-state/country driver's licenses look like. Same for passports!

Of course this is growing problem:

Identity Thief Steals House
http://www.schneier.com/blog/archives/2005/08/identity_thief.html

The trust part of the gpg model is no small thing.

[ Parent ]

Re: Authenticating ID documents is the issue.
Posted by Anonymous (59.176.xx.xx) on Sun 3 Dec 2006 at 08:18
Hah. Not only you, but HM customs have a problem with passports too. PJ

[ Parent ]

Re: Authenticating ID documents is the issue.
Posted by Anonymous (217.8.xx.xx) on Mon 4 Dec 2006 at 08:25
I agree that this is a problem in general. When arranging a meetup - you will need to agree in advance what proof of ID each party is willing to accept.

I'm based in Norway, and am often back in the UK to see the family. In that kind of situation I would recognise both passport or drivers license - but - you are then at risk from forgeries.

The trust part of the system is a very important part - but remember that siging a key says only that you believe the key to be owned by the person you met - you are not saying that you trust them to be diligent in their keysigning. You can go in and assign a level of trust that you feel comfortable with.

Trust is private - you may sign my key - but I will never know what level of trust you have entered against it in your system. Again - I'd suggest that people read through the trust sections of the GnuPG handbook

[ Parent ]

Re: Meeting people for keysigning - using Biglumber
Posted by chris (213.187.xx.xx) on Wed 29 Nov 2006 at 18:00
[ View Weblogs ]
It comes down to what does it mean to sign a key.

All it means is that you have personally checked face-to-face that the person claiming to own that key has shown you some kind of proof that _you_ are willing to accept that they are the person they claim to be.

Take an example.

I meet Steve. We go through the ID process. So we sign each others keys (something which has yet to happen in real life).

Now - you know me and trust me - so what does my signature on Steves key tell you. Nothing more than I have decided that I was satisfied that Steve is Steve and I believe that he owns the key.

What doesn't it tell you? It tells you nothing about how reliable Steve is when it comes to his signing of keys.

By signing Steve's keys I am saying no more and no less than I am satisfied he is who he is.

You may want to read more at the GnuPG handbook - in particular Validating other keys on your public keyring - this goes into the concept of trust (a wholly private part of the system).

[ Parent ]

Re: Meeting people for keysigning - using Biglumber
Posted by fsateler (200.28.xx.xx) on Wed 29 Nov 2006 at 19:28
[ View Weblogs ]
Ah, that explains a lot. I confused the trust issue with the id issue.

--------
Felipe Sateler

[ Parent ]