[openstack-dev] PGP keysigning party for Juno summit in Atlanta?

Clint Byrum clint at fewbar.com
Sun Mar 30 16:05:51 UTC 2014

Excerpts from Thomas Goirand's message of 2014-03-29 23:32:55 -0700:
> On 03/30/2014 10:00 AM, Mark Atwood wrote:
> > Hi!
> > 
> > Are there plans for a PGP keysigning party at the Juno Summit in
> > Atlanta, similar to the one at the Icehouse summit in Hong Kong?
> > 
> > Inspired by the URL at
> > https://wiki.openstack.org/wiki/OpenPGP_Web_of_Trust/Icehouse_Summit
> > I looked for 
> > https://wiki.openstack.org/wiki/OpenPGP_Web_of_Trust/Juno_Summit
> > to discover that that wiki page does not yet exist and I do not have
> > permission to create it.
> > 
> > ..m
> If there's none, then we should do one.
> One thing about last key signing party, is that I didn't really like the
> photocopy method. IMO, it'd be much much nicer to use a file, posted
> somewhere, containing all participant fingerprints. To check for that
> file validity, together, we check for its sha256 sum (someone say it out
> loud, while everyone is checking for its own copy). And everyone,
> individually, checks for its own PGP fingerprint inside the file. Then
> we just need to validate entries in this file (with matching ID documents).
> Otherwise, there's the question of the trustability of the photocopy
> machine and such... Not that I don't trust Jimmy (I do...)! :)

If we follow either of these methods:


Then everyone should bring their own copy of the file. Note that this
implies that one is using their own trusted equipment to do this or
verifying painfully that nothing has been altered during that process.

So it is important that we socialize this and have people ready _before_
the summit, so they can print at home. The point is, users should still
_print it themselves_ to avoid a mass compromise of the key signing
process at the time of duplication/printing.

Now, having somebody else print the lists is fine as long as you have key
owners look at your copy and verify the fingerprint on your list. This is
_extremely_ inefficient compared to the Sassaman Efficient protocol, but
it works o-k for small groups, as the person can verify your list while
you're verifying their government ids, and you can do the same for them.

I would suggest making these photocopies on an odd color of paper so
that key owners can know to ask for the list to verify it, rather than
letting unknowing lazy signers get away with trusting the photocopy.

> Plus having a text file with all fingerprints in it is more convenient:
> you can just cut/past the whole fingerprint and do gpg --recv-keys at
> once (and not just the key ID, which is unsafe because prone to
> brute-force). That file can be posted anywhere, provided that we check
> for its sha256 sum.
> I would happily organize this, if someone can find a *quite* room with
> decent network. Who can take care of the place and time?

There is zero network necessary for the party. In fact it is sort of
discouraged, as having network would distract from the single-minded
and very social purpose of the party. Or are you requesting a room to
do the list creation?

> Of course, We will need need the fingerprints of every participant in
> advance, so the wiki page would be useful as well. I therefore created
> the wiki page:
> https://wiki.openstack.org/wiki/OpenPGP_Web_of_Trust/Juno_Summit


> Please add yourself. We'll see if I can make it to Atlanta, and organize
> something later on.

Done. I'm happy to pick up facilitation of this process if you can't
make it.

> Cheers,
> Thomas Goirand (zigo)

More information about the OpenStack-dev mailing list