[wellylug] key signing in Wellington

Valient Gough vgough at pobox.com
Mon Feb 23 16:02:04 NZDT 2004 

No worries, all you've sent is your public key, which is a perfectly
valid thing to send to anyone.  Public keys are stored on key servers
around the world for public access.  But, you'll notice that you don't
have any signatures on your key, eg:

>gpg --list-sigs Harker
pub  1024D/6C6570C6 2003-03-06 Jonathan Harker
<jon at jonathanharker.co.uk>
sig 3       6C6570C6 2003-03-06   Jonathan Harker
<jon at jonathanharker.co.uk>
sub  1536g/64279EDC 2003-03-06
sig         6C6570C6 2003-03-06   Jonathan Harker
<jon at jonathanharker.co.uk>

As you see, the key you sent is signed by itself (standard practice),
but not by anyone else.  So, unless I've met you and verified that this
key really does belong to someone named Jonathan Harker, how do I know
it isn't from some imposter?  Anyone could create a key and have it
named "Jonathan Harker".  That's where key signatures come in.  I meet
you and verify that you are really you, and that the key you list here
really belongs to you and then I sign it with my key.  

Once you have other signatures of your key, then if someone wants to
know if the key really belongs to you they have multiple means:  1. they
could still meet you and verify that you are who you say you are, or 2.
if they know me (and trust that my key is really mine) they could verify
that my signature of your key is valid.   This is the so called 'chain
of trust' and can continue on to greater depths. 

For example, here is my current key, showing the attached signatures:
> gpg --list-sigs vgough
pub  1024D/2EAF4D80 2002-03-26 Valient Gough <vgough at pobox.com>
sig 3       2EAF4D80 2002-03-26   Valient Gough <vgough at pobox.com>
sig 3       A4E872B2 2003-12-07   Valient Gough <vgough at pobox.com>
sig 2       FAFE4010 2004-01-31   Mika Matsuzaki <mika at yukidoke.org>
sig 2       607559E6 2004-02-05   Benjamin Hill (Mako) <mako at debian.org>
sig 2       C99870B1 2004-02-05   Benjamin Hill (Mako) <mako at debian.org>
sub  2048g/65DCEDAF 2002-03-26
sig         2EAF4D80 2002-03-26   Valient Gough <vgough at pobox.com>

So, both Benjamin Hill (a debian developer in Seattle), and Mika
Matsuzaki have signed my key saying that they trust that my key belongs
to a real "Valient Gough" at that email address.  Now Benjamin has about
670 signatures on his key of people that have verified that he is who he
says he is, which makes it possible for people to have some trust that
my key really belongs to me without having ever met me, or even having
met someone who directly signed my key!

That is the purpose of meeting people and signing their keys.  We have
to physically meet in order to verify that the other person is who they
say they are (typically via verifying government issued id) and that
they also have control over the email address listed on their key (by
sending them the signature to that email address)..  Then when you send
someone your key, by exporting it as you did before, it will show up
with extra attached signatures.

make more sense?

Valient

On Tue, 2004-02-24 at 02:47, Jonathan Harker wrote:

> andrej at paradise.net.nz wrote:
> 
> > // keys on the list 
> > 
> > Guys, the whole point of key-signing events is that
> > there is SOME sort of "control" over who is who and
> > such ... sending them around via e-Mail is not acceptable
> > like this (on a mialing list) ... that's why the whole
> > idea of signing parties has been born in the first place :)
> 
> Sorry... was wondering what it was in aid of.
> 
> Slightly confused,
> J
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20040223/2eac11c2/attachment.htm

More information about the wellylug mailing list