| Darxus on Wed, 17 Apr 2002 20:04:46 -0400 |
|
Sorry I haven't been more actively participating in this thread. I believe all new keys I have recieved are in http://www.phillylinux.org/keys/phillylinux.gpg, and printouts will be made before the meeting by MCT. Less importantly, yes, I plan to be there. (I encourage you to verify that your key is in this file if you intend to participate) On 04/17, eric@lucii.org wrote: > I'm missing something here... How do I get my key to a key server? > That's not on the web page (phillylinux.org/keys/). > > Also, how do I know who's participating? John Lavin is the only > name I recall seeing so far. These are not things you need to worry about. People are trying to confuse you :) Keyservers are another way of distributing keys, and if you'd like to retrieve your own set of keys from keyservers, and print that out, and bring that with you to verify at the meeting, that's fine, as long as 1) You know who will be participating 2) Everyone who will be participating has uploaded their key to a keyserver This is a rather unlikely combination, as most new participants just send me their key, and don't generally announce their intentions on the list. All of this is generally taken care of by me. People send me their keys, I collect them, and put them at the above mentioned url. Somebody prints the fingerprints from the keys in that file, and hands them out at the meeting. Then we all stand around in a circle, and read off the verified copy of our fingerprint that we brought, and then pass around our photo ID, while people initial our fingerprint and identity if they feel that they have been sufficiently verified. Then we go home, download the above mentioned file, import it, verify that the fingerprints on the printouts match the fingerprints of the keys we downloaded, and then sign them. Then you all send the signed keys back to me to be re-collected and put in the same above mentioned phillylinux.gpg file. It really isn't complicated and I provide detailed instructions to every participant after the keysigning. On 04/17, gabriel rosenkoetter wrote: > On Wed, Apr 17, 2002 at 06:39:31PM -0400, Michael Leone wrote: > > All participants have to have copies of everyone involved's fingerprint; > > it's just easier to funnel them to a central person, who then makes > > enough printouts for all participants to look at. > > Um, but if I blindly trust that the printout that Darxus gives me > matches what I'd get out of gpg --fingerprint for that key ID and > sign the key, I've misplaced my trust. Nobody blindly trusts the printouts. We verify their validity at the meeting, and then go home and verify that they match the keys. > Even if you do use Darxus's handy printout, you MUST verify that the > fingerprint on that sheet of paper (that you verified against what > the person whose key it is read aloud *from* *their* *own* > *files*... that is NOT from Darxus's printout) matches with the > output of gpg --fingerprint for that key ID on your machine BEFORE > you do gpg --sign-key. Exactly. Actually, that's all here: http://www.phillylinux.org/keys/keysigning.followup.txt Which is linked from http://www.phillylinux.org/keys/ ("(example directions)"). > But bringing copies of your fingerprint for everyone and reading > your fingerprint aloud are redundant! It's still necessary to match > the fingerprints against what you have locally when you get home. If someone handed me a printout of their fingerprint that they told me they had personally verified (the printout of their fingerprint against the fingerprint on their screen), and which they had initialed, and then showed me photo ID that matched the info on the key, then yes, I would be comfortable taking that printout home and signing the matching key (after verifying the printout matches the key I have) without them ever actually reciting their fingerprint for me. But I think someone was just talking about bringing printouts incase I or somebody else doesn't, which would then be verified verbally as normal. > In any case, I think you missed my point. I was saying that I could > just as easily print the fingerprints for everyone in place of > Darxus, if he's not going to be there (um, Darxus, could you maybe > say something about this? Soon?), and that they would be no more or > less trustworthy than Darxus's printouts. Yup. Trustworthy to the extent that I think you could reasonably expect the letters to not rearrange themselves from the time you verify them at the meeting until you get home and verify it agains the key itself. No-one should ever assume that the printouts are valid. I could be maliciously modifying them. You have to assume somebody is, otherwise the system breaks. Most importantly.... this is not complicated, stop trying to scare people away :) -- "Whatever you do will be insignificant, but it is very important that you do it." - Mahatma Gandhi http://www.ChaosReigns.com Attachment:
pgpnCk6sRGYv6.pgp
|
|