Re: [Fsuk-manchester] SFD09 – The final call for v olunteers

[Robert Burrell Donkin]

On Thu, Sep 17, 2009 at 6:15 PM, Leslie I'Anson <address@hidden> wrote:
> On 17/09/2009, Robert Burrell Donkin <address@hidden> wrote:
>> On Thu, Sep 17, 2009 at 1:52 PM, Simon Ward <address@hidden> wrote:
>>> On Thu, Sep 17, 2009 at 12:26:37PM +0100, Robert Burrell Donkin wrote:
>>>> given the progress made on breaking SHA-1[3], i'm very keen to swap my
>>>> new openpgp code signing key with others in the FOSS web of trust. if
>>>> there are people interested, i'd be happy to do key signing party (if
>>>> there isn't one already) or talk people through how to set up GnuPG[4]
>>>> to generate strong keys and strong links in the WOT[4][5].
>>>
>>> I’m happy to join in and help with this.
>>
>> cool :-)
>>
>> what's be the best way to get organised? are there enough people with
>> keys to do a formal party? or would something ad hoc be better?
>>
>> - robert
>
> My advice would be to hold a workshop (or two) first. Then numbers
> won't be so much of a problem.
>
> On proposal would be:-
>
> Workshop 1 - Introduction to the technology and tools, etc. (ie. theory + 
> demo)
> Workshop 2 - Generating keys, etc. (ie.putting theory into practice)

the theory's a bit dull and requires a lot of technical terms to be done right

i think that a single hands-on workshop would probably work better. if
enough people bring along laptops then we can break into small groups
clustered around those laptops and play around with demo keys based
around some practical problems.

it'd probably be more fun than listening to myself lecture on prime
number theory for a couple of hours ;-)

> Reward - Key signing "party" (ie. lots of people we new keys to sign)

any key signing party needs to be a separate event (for security
reasons). the only demo keys not intended for distribution should be
used at a workshop. but yes, i can organise a formal key signing party
after the workshop.


i would like to try to meetup with anyone who already uses OpenPGP
since the benefits of signing a key depend on how connected that key
is

suppose Alice is well connected to the Apache WOT. then most Apache
release managers will be linked within the three steps that a typical
trust model uses. Suppose Bob is not well connected. if Bob can verify
Alice's identity and key fingerprints in person then Bob can verify
the vast majority of Apache releases.  Alice gains only the ability to
verify signatures from Bob in return. Bob gains a lot from this
exchange and Alice very little.

suppose now that Dawn is a well connected Debian maintainer. when
Alice and Dawn meet personally and verify each other keys the gain is
high. everyone within two hops of Alice is now connected to everyone
within one hops of Dawn and vice versa. this is a big gain for the
FOSS WOT.

my new key is well connected to the Apache WOT through the old key
one. i'll have my passport and cards with my key fingerprint on.
anyone how wants to be able to sign my key so they can verify Apache
releases (and many other FOSS signatures too) is more than welcome to
take a look and a card. they don't even need to have a key now: if
they keep the card safe then they can safely sign at any time in the
future.

if there are going to be people with existing keys there, maybe we can
pick a time to meetup...

- robert