[SGVLUG] Keysigning

Diane Trout diane at ghic.org
Sat Nov 30 10:51:02 PST 2013 

On Saturday, November 30, 2013 09:01:25 John Kreznar wrote:
> In a posting purporting to be from Diane Trout <diane at ghic.org> but
> 
> lacking a digital signature, it is written:
> > I was wondering if there was anyone going to the next SGVLUG meeting
> > who would be willing to do some GPG keysigning?
> 
> How do signatures help?  Please explain.

The simplest key signature case is Alice and Bob meet at some conference and 
Alice signs Bobs key. (Bob probably also signs Alice's key)

After they go home to different parts of the world, when Bob sends a signed 
email to Alice, or provides a detached signature for files, or uses monkey 
sphere[1] sign a "self-signed" X.509 certificate, Alice can, by checking her 
keyring can say "I have met Bob and I have quite good reason to believe that 
key is owned by the person I met."

If Alice didn't sign Bob's key, all she really could say is "I am probably 
continuing to talk to the same entity."

With a previous 1024 bit key I had signed the key of several core python 
developers:
http://pool.sks-keyservers.net:11371/pks/lookup?op=vindex&search=0x4E2EF3DE9C461EF3
(that's my key but I signed their keys as well)

So when one of them signed a some Python software I had reason to believe that 
it was certified by a person I had met. (You can get to stronger levels of 
trust in a piece of software using signed commits in git).

Since cross signing everyone in the worlds would be a impossible there's GnuPG 
has a method to compute a transitive trust off of having some number of keys 
you've signed sign a key you haven't directly seen. (The Web-Of-Trust)

However as even advanced GnuPG users find indirect trust difficult to reason 
about, so I find it best to try and get as many direct signatures as possible.

Also since I've been becoming more active with Debian, and getting a GPG key 
signed by another Debian Developer is a requirement for becoming a Debian 
Maintainer. [2]

Diane

[1] MonkeySphere http://web.monkeysphere.info/
[2] https://wiki.debian.org/DebianMaintainer#Becoming_a_Debian_Maintainer
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20131130/a5c4a074/attachment-0001.pgp>

More information about the SGVLUG mailing list