GPG / PGP key signing party

Victor Cardona · 2002-11-08T00:40:44-06:00 (Friday)

Hi guys,

I just thought of something that would be really cool. We could host a key signing party on campus. While we are at it, we could also introduce people to email encryption, and show them how to use it. Basically, everyone would need to bring their keys (floppy, laptop, ssh, etc...). ID would also be handy so that they could prove they are who they say they are.

What do you guys think?

Victor

Kade P. Cole · 2002-11-08T22:42:00-06:00 (Friday)

I would be interested. I keep wanting to get into mail like this and signing my messages. I have done it in the past. Need to get me a new key now.

Kade

Victor Cardona · 2002-11-09T10:50:21-06:00 (Saturday)

Yea!

To make things more interesting we could do a CAOS only signing party and offer prizes to the person with the most signatures on his or her key. That way we all know each other or have someone that can vouch for us :-)

Victor

Guest · 2002-11-19T16:17:42-06:00 (Tuesday)

why exactly does everyone need to do a key signing? I understand the concept of a trust system but come on how paranoid can you get? It would be understandable if the people at the key signing wouldn't be in contact with each other for a good while but considering most if not all of you are near campus...a confirmation of a signed message or an encrypted message shouldn't be that difficult. And yeah I understand that the transfer of a public key over any untrusted media such as the Interent even with encrypted ssl communications is a big no no but come on we're not exactly prime targets for the CIA or hackers with nothing else to do...so here is a better idea...post them here...and forget about a trusted network of signatures.

In order for a hacker or the CIA to impersonate you online they would have to modify the key before the person you wish to communicate with places your public key on their key ring....after that they would have to break into a client box which isn't as easy as everyone thinks it is...unless you're stupid enough to use IE with its 14+ unpached holes. Then besides modifing the public key you post they would also have to have control of either a router or one of the e-mail servers you send e-mail through so they can replace your GPG/PGP sig with the one they fudded up...not an easy task.

So yeah if you're really paranoid go ahead and start a trust of sigs....but unless you're really important it's just a waste of your time.

So here I'll start...

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBD3Ub3URBADrng26Xc1e0b3EpTDietjeo7a5wn3Fa7SB2vqw6Te0gQttKAYv
d1jJ0uCnDGRQXIJuYbElc0PjY5MkDFatEq/xCZbUZwx9/pjvV/1p0oF0kbGOpFt7
V2bq+Y64MbpNr7npqOxFrRZx4ZmNw7sWSQg+kV7LKatVMtfhO0KO5UqJDwCgwPtQ
YAuesoaoqas94EOwHyUDnI8D/i/UXBD1bsoSqP8OMi9JB/wvKhpGYALH+6wlYqy/
UGOxaJ2eOfuAYhPVLv50yzVlxGcjtuhJozUbB5VUfynFcJ2Ya9t/X2jgqkt7kXHc
7Q/HAOksSJJpbBjecAo796m3s642T2ch1oZyIhwOIr83k/C3PNZOXO+YvuSsHlQa
0+C2A/96HTqSezItrciVZRHn2Orzv/PzHFmsy6qtpr+f1tkNSJndTYar/ei0N6Tx
C1kx32o6+QwTcsQvJhRsIVBLo3BI1B7kQIdNDhKe4bKaZqygtygl8kqvYc7KNzvc
uH2p7ACNiu1DAsxRDvTYOGaFjtlS2zhryU8aMTtDp1tzd0sghLQ1TmljaG9sYXMg
SiBUaG9tYXMgKGUtbWFpbCkgPG5pY3RAeHByZXNzOTMxMzMuaHRjLm5ldD6IXQQT
EQIAHQUCPdRvdQUJAeEzgAULBwoDBAMVAwIDFgIBAheAAAoJEFsedbKSk8mh0FsA
n0A13wj/Vf9rynyO1Gk3DqxwkDeZAJ0STpks7E7drBvaxC5rXi5aJE1CcbkBDQQ9
1G95EAQA/yxUIUsEoX+1xmeVv7Mv10MtJTxFHvBjFvSJ5FGZBzMHjG4+1/T6j4vZ
aPCFo1i6jOJ2TIHxdQ6pcfOCq71vgG9tlPs99m2s0zGmC6ptn025sOCk9qu3GULn
sEIEjmJ/8Y1iVczvmR/OfmjcbJSupHSPyPQKeuIlyQVZ8xTbR1sAAwYD/0DUUNOk
7uyRj+0S7fxt3M5vF3NqHN4k4fMY0XEHKWna5Ma+7aRCUVbBVhPP5HyXUrXzK69E
LbYteRXgrWyg86pJ9JEGfMCevBoifA2WS4NFaDZSQWYH0wIkfZJ78XBsjkI+xaII
lgtXqnpIODcQGoi9Cy9q8mgi5/cquChoUnYMiEwEGBECAAwFAj3Ub3kFCQHhM4AA
CgkQWx51spKTyaE4AgCfRTpnFhuEGLA/b0b5fFoKHSWu4eIAniUidV54kQkWQERx
Yn9ZMOwyBE2b
=eQsw
-----END PGP PUBLIC KEY BLOCK-----

Victor Cardona · 2002-11-20T17:13:11-06:00 (Wednesday)

Well thanks for your opinion.

Unfortunately, I have a hard time believing that you understand how public key trust systems work. If you did, then you wouldn't be asking why anyone would want to have a signing party :-)

Anyway, this was just a suggestion for a group activity. I am not pressuring anyone to participate if they don't want to.

By the way, I would be more than happy to sign your key. Unfortunately, I don't know who you are, and therefore cannot verify that this key truly belongs to you.

Victor

William Grim · 2002-11-20T17:29:05-06:00 (Wednesday)

Well, I don't really know how a key signing works, but I'm in.

When do you think we should do that?

Guest · 2002-11-20T17:35:56-06:00 (Wednesday)

QuoteI have a hard time believing that you understand how public key trust systems work.

The idea is when you receive a key that is signed by people you trust it automatically increases the trust of the key from that user. Your only supposed to sign keys when you physically exchange keys in person or call each other up and verify the footprints. But why I'm asking why you would want to do such a thing goes back to the point that you don't need to in order to use the system and considering you can have daily contact with anyone on this site per request it wouldn't really be pointfull.

QuoteAnyway, this was just a suggestion for a group activity. I am not pressuring anyone to participate if they don't want to.

Oh...I thought you wanted to do it so you could verify each others e-mails after you leave college or something...I'm not saying it's a bad idea I just don't see much of a point for it in a security point of view....

QuoteBy the way, I would be more than happy to sign your key. Unfortunately, I don't know who you are, and therefore cannot verify that this key truly belongs to you.

yeah well I wasn't suggesting that you signed it...in fact it would be kind of pointless to sign it unless I sent it to you in another way. My point was there really isn't a need to sign each others keys because there just isn't a need for that level of security. For some reason those that like to use the system forget about the human element of the communication...once someone poses as you it is easily fixable since you can have direct contact with the people you are communicating with.

but hey I didn't think of it as a way to get to know other people or have a meet for people at this site so I'm sorry for saying what I said.

Guest · 2002-11-20T22:10:19-06:00 (Wednesday)

are there plugins for outlook for GPG? I don't think there are enough Linux users on campus so you would have to find some sort of GPG/PGP for windows. Doesn't PGP have a cost associated with it? I have used a GPG clipboard type thing for e-mail under windows before with outlook but you need to install both gnupg and this other clipboard type app. It would be different if there where as many windows e-mail clients that support GPG as there are in the Linux world (both evolution and kmail).

What GPG e-mail clients are there for windows?

Victor Cardona · 2002-11-22T13:55:55-06:00 (Friday)

GPG does run on Windows. You can download a binary version from the GNUPG website. They also list information about front-ends that are available.

I would encourage anyone to attend. You don't have to run Linux or UNIX.

Victor

Guest · 2002-11-25T00:15:43-06:00 (Monday)

What GPG e-mail clients are there for windows?

Victor Cardona · 2002-12-02T20:38:50-06:00 (Monday)

There are no email clients per se that are compatible with GPG on Windows. There are some plugins for various email clients available though that add the needed functionality. I might be wrong though. I don't use Windows for email.

Victor

GPG / PGP key signing party

Guest

Guest

Guest

Guest