Eugene Smiley on Thu, 6 Mar 2003 12:38:09 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [PLUG] PGP keysigning aftermath

Gabe wrote:
> Sure, but doing keysigning the way we've been doing it is getting
> to be pretty unmanageable.

Agreed. It takes a LONG time.

> Jeff would like to just have everyone's keys in a file, run SHA1
> on that, compare the checksum you see at the meeting with one you
> compute yourself on the same file, and know that everyone's
> signature matches up. I think there are some serious failings
> with that plan:

This plan can be seen at

One still has to verify that the FP is accurate, but you don't have to read
it out to everyone. The hash simply tells you that everyone's page is the
same. No sleight of hand/copy maching/printer.

I have a script based on code from darxus's which creates an HTML
file of the output of 'gpg --list-keys --fingerprint' on the keyring and
outputs the MD5, SHA1, and RMD160 (using 'gpg --print-mds <file>'). Kind of
a proof of concept.

> Problems with our current plan are similar:
> - If you don't understand the process, you've got a good chance of
>   doing it wrong. Like say last night when one participant
>   blithely read his fingerprint from the sheet of paper I
>   provided without first verifying it.

I recommend posting instructions of what we finally come up with.

> I would much prefer this approach:
> - Participants bring their own key fingerprint printouts. Ideally
> using gpg-key2ps[1].

I think this is still the best route for latecomers, but I prefer what I'll
from now on call the Jeff plan. ;)

>> Who else was involved?

Paul Snyder
Jeff Abrahamson
Moi (Eugene)
Eric Roode
Chris Cera (brought slips)
Renford ? (didn't bring keyID/fingerprint, validated others'

Did I miss anyone?

Philadelphia Linux Users Group        --
Announcements -
General Discussion  --