|
Post by cyRex Wolf on Jan 23, 2014 18:16:15 GMT -8
Hi everybody! There will be a PGP keysigning party at Vancoufur, at 1 PM 12 noon on February 28! Right now, I'm planning on using the Informal Method (see cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html for more info), given that I'm not sure what our turnout will be like. If we have a lot of people show up, I'll look into using the List-Based Method next year. What to bring: - Printed copies of your key fingerprint
- A pen or something to write with
- Some sort of ID to prove your identity
I strongly suggest two pieces of ID, but you really should bring whatever you feel is sufficient to prove to everybody else that you are who you say you are. Keep in mind that what you consider sufficient may or may not be considered sufficient to somebody else. You will need enough printouts of your fingerprint to give everybody a copy. Electronic copies may not be considered sufficient by other participants, and may be difficult to reference later. If you have any suggestions or questions, feel free to ask me here or by email. See you there! Rex Wolf 0xD7EFEE90 Attachments:attachment.txt (1.96 KB)
|
|
|
Post by Temrin on Jan 23, 2014 20:19:38 GMT -8
I am curious, perhaps i am just misreading the information, but what -is- a PGP keysigning exactly?
|
|
|
Post by cyRex Wolf on Jan 23, 2014 21:11:58 GMT -8
I am curious, perhaps i am just misreading the information, but what -is- a PGP keysigning exactly? Well, first I'll cover what a PGP key is. From there, we'll get to the keysigning party. A PGP key, basically, is a two-part key that can be used for encryption and signing. The two parts of the key (public and private) work together. If somebody wants to send something to you, they use your public key to encrypt it. Because it's public, anybody can send you messages or general data. But only your private key can decrypt it. If you want to digitally sign something, you use your private key to sign it. Only you can make that digital signature, because that key is private. Anybody else can use your public key to verify that the signature really came from you. Now, that's all well and good if you're absolutely sure that the public key you're looking at really belongs to that person. But I could easily create a key and call it "Temrin's key", and people could be fooled into sending things to me that they really wanted to send to you. I could sign messages using "Temrin's key" and you might end up taking the blame for things I wrote in your name. To fix this problem, every PGP public key can be signed by the private keys of others. If you show me ID and a fingerprint of a PGP public key, then I can be reasonably sure that this key belongs to you, and you really are Temrin. Then, I use my private key to sign your public key. Maybe I have a friend who doesn't know you, but really wants to get in touch. How is he supposed to know that your key really is genuine? If he trusts my judgement, and he sees my signature on your key, then he knows I've checked it out and I'm confident that this is really your key. This is how we create what's called the "Web of Trust". If this all sounds very complicated, well... it can be! But it's also a very powerful way of securing your digital privacy and identity. There is no central authority involved--if you don't want to trust my signature, you don't have to. You choose who you trust, and who you don't trust. But it's all for nothing if nobody you trust has signed the key for the person you want to communicate with. The more signatures we can make on each other's keys, the greater the chance you can find somebody you trust who has verified the other person's key. This is where the keysigning party comes in. A keysigning party is a gathering where many people can come together at once to verify a lot of keys at one time and place, instead of having to arrange many individual meetings. Many conferences and conventions (especially computer- or security-related cons!) have a keysigning party as a regular event, to help people strengthen the Web of Trust.
|
|
|
Post by Temrin on Jan 24, 2014 10:51:07 GMT -8
Interesting! Thank you very much for the explanation :3 I will get this advertised for ya! ^_^
|
|
|
Post by lordreptoid on Feb 5, 2014 0:17:20 GMT -8
I plan to attend.
Re: "There will be a PGP keysigning party at VancouFur, at 12 noon on February 28!"
"What to bring:" "Printed copies of your key fingerprint" - Wise idea. "A pen or something to write with" - Simple enough. "Some sort of ID to prove your identity" - Several on hand.
"I strongly suggest two pieces of ID, but you really should bring whatever you feel is sufficient to prove to everybody else that you are who you say you are." Nothing is real, everything is possible. :> I have several variety on hand. Some will shock and others will amuse. "Keep in mind that what you consider sufficient may or may not be considered sufficient to somebody else." - Exactly. I prefer people with a face, myself. And face to face (hand to ear) direct communications over all others... (The hot tub (no electronics permitted) is sometimes optional). :>
"Rex Wolf 0xD7EFEE90" Lord Reptoid (You'll see my PGP key(s) fingerprint(s) at the event). I can be contacted through this website for some private sharing in the meanwhile. Blessings.
|
|
|
Post by cyRex Wolf on Feb 6, 2014 6:25:43 GMT -8
I must confess, I burst out laughing when I saw your response! Not because I find your attendance amusing, but because in retrospect, it seems so obvious that I can't believe I didn't consider it before. Of all the people I know, you are one of the most likely candidates to have a PGP key, and I should have thought of that earlier. More because of your interest in liberty than because of your depth of involvement in technology, but nonetheless, I can't say I'm surprised. I look forward to seeing you there, sir! I don't know if you recall our earlier meeting when I attended your Samhain party in 2012, but you will, I think, be pleased to know that I still have a face! (And still show it in public, no less!)
|
|
|
Post by lordreptoid on Feb 6, 2014 8:09:31 GMT -8
Very good. :> If all goes well, I'll see you then and there. And yes, I keep away from the little details of who coded what part of each sequence of computer code (in every way possible), but from the top down (literally sometimes) I hear it all regarding leaks before they become 'public leaks' due to my 25 years experience in freelance investigative journalism and much more... all the way to the bottom where I find that without the best, simplest and easiest possible demonstrations and swift, easy to use applications of PGP (GPG, etc), we get the result we see after decades of its existence... almost zero use from the average computer user.
As you probably remember, my e-mail signature has always warned (by main stream news video link example) of the extreme dangers of Canada's (and indeed the world's) number one most popular crime - Identity theft! Without being able to prove who you are and that you are indeed the author of said words (and of said transmitted data), one risks EVERYTHING in the hands of millions of total strangers. Who dares trust such a system of type-written post cards when one could be using their own hand writing contained within a sealed envelope (as we used to do with the non-digital variety of intimate and most personal communication)?
People are still surprised by my mere mention that the 'internet' was invented by the military for 'ease of use' and 'ability to share data between divisions world wide' but on a CLOSED SYSTEM (not accessible to the public)... but once made public it was treated as 'secure' by civilians, which was the greatest mistake ever assumed by the general public. The internet is anything but! No one even knows if I wrote this message or not except myself and the person sitting right behind me presently. There's no way to tell if I've been spoofed or hacked or not... but there is! PGP (GPG included). If this were a signed message (PGP style) even one single character being changed would send of red alerts that it's no longer my actual words or actual identity. Even 'plain text' clear-signing would end up in the same result. That's the beauty of PGP privacy between individuals and a whole lot more (secure file storage is another beauty). The only REAL problem is making it available to EVERYONE and showing them how easy it is to use without going into all that 'geek speak' that loses the rest of society who need it MORE than the geeks do. Therein lies the real issue, and I hope you cover the swift, fun usability of instant and complete military grade encryption for the masses (more than get into the complexities of TwoFish algorithms and so forth, as much fun as they all are). :>
Lord Reptoid. ~~~~]xxx[:>~
|
|
|
Post by cyRex Wolf on Feb 11, 2014 7:10:42 GMT -8
I hope you cover the swift, fun usability of instant and complete military grade encryption for the masses (more than get into the complexities of TwoFish algorithms and so forth, as much fun as they all are). :> I actually hadn't planned on covering usability or algorithms. The purpose of a keysigning party is to sign keys, after all--the intended audience is those who already have PGP keys and (presumably) know why strengthening the Web of Trust is a good thing. Of course, I'm not fool enough to fail to consider alternative audiences as well. But that largely depends on crowd response. Are people going to show up and wander in, curious about what this panel is, or are they going to stay clear and check out whatever else interests them more? If anybody shows up and has no clue what's going on, but they want to know, I'm more than happy to explain why PGP is important, how easy it can be to use, and how to get started. Basics are usually more important than technicalities. So yeah. I'm really, really not sure what attendance will be like. This panel is really an experiment on my part. So, as with any experiment, I make what plans I can, rough out some alternatives and contingencies, and then sit back to observe the results before tweaking my plans for the next time.
|
|