[wellylug] key signing events / wireless access?

Valient Gough vgough at pobox.com
Fri Dec 12 21:24:10 NZDT 2003 

Some security protocols rely on a trusted third party.  For example
secure web browsing (aka https) rely on a trusted third party to sign
your key.  All the browsers know about the trusted third parties and can
verify that someone 'trusted' signed it.

For GPG (or PGP), there is no trusted third party (by design).  When I
send encrypted mail using GPG, or sign software that I release (like
Linux RPM files for many distributions, or Debian packages), there is no
trusted third party to go to in order to make sure the key is valid.

Instead, the trust model is distributed.  Like Tim said, you prove to
someone's satisfaction that you are who you say you are - typically
using government issued id.  When someone has proven to me they are who
they say, and that they are the owner of their key, then I sign their
key saying in effect that I trust that this person's key matches to the
real person.  It doesn't mean that I trust the person is a good person
or anything (even if they are), just that I believe they are who they
say they are.

This builds a chain (or web) of trust.  If you see my signature on
something but don't know directly about me of if the signature is really
mine, you can check the signatures on my key and see if any of them are
people you trust, and so on.  Parts of this are automated in GPG.

I've had GPG keys for years, but haven't worried about it much before
because I only exchanged encrypted data with close friends, if at all. 
But now that I've started to distribute some software, it is good to
have ties to many other people to make it more likely that a person will
be able to trust that the signature is mine without ever having met me.

So, yeah, we just get together and show each other id's and trade bits
of paper with numbers on them.  Sounds like fun eh! :-)

Valient

On Fri, 2003-12-12 at 10:19, Tim Nicholas wrote:

> On 12/12/03 18:01, Brenda Wallace wrote:
> > what is a gpg key signing get together?
> > is it what i think it is?? you get together and swap gpg keys???!!!
> > 
> 
> Yup. Though normally it's just the signatures of the keys. You give 
> someone the signature of your key, and prove to them that you are who 
> you say you are (using a passport or whatever). They do the same and 
> you're away laughing.
> 
> Or at least that's my understanding of the situation.
> 
> Tim
> 
> 
> -- 
> Tim Nicholas                          ||                      Cilix
> Email: tim at nicholas.net.nz            ||    Wellington, New Zealand
> http://tim.nicholas.net.nz/           ||   Cell/SMS: +64 21 337 204
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20031212/dd6e42dc/attachment.htm

More information about the wellylug mailing list