One of the issues in using public key encryption is ensuring you know who you are communicating with, and that you have correctly matched the owner to the key. Otherwise, your communication could be intercepted and decrypted by a third-party. The way we solve this problem is with key signing, which is often done at key signing parties. We discuss all this with Tony Bemus of the Sunday Morning Linux Review.
CommentsSubscribe to the comments RSS feed.
Comment #1 posted on 2014-05-09T17:31:12Z by Bert Yerke
I attend the key-signing party at SCaLE every year. Phil Dibowitz usually hosts and has done so for many years. He recommends not to do any actual signing at the party but rather use a worksheet to verify the keys and then follow up at home or in your hotel room) after the party. First each participant reads his/her fingerprint while the rest of us check it off on the list. Then we form a "conga line" to verfy identity with some form of picture ID. Passports are the most trusted form of ID.
There is more information at Phil's website:
He also has a program to do some of the heavy lifting:
PIUS can be used to manage the party and to follow up after. It is a nice way to process each of the new keys, requiring intervention only to set validation level and it also mails the signed key to the owner automagically.
Hope that helps,
Comment #2 posted on 2014-05-10T07:35:07Z by Ken Fallon
Conga line fail ?
You might want to also listen to http://hackerpublicradio.org/eps.php?id=1461 where Dave reports on his experiences in a conga line.
Comment #3 posted on 2014-05-15T15:10:45Z by Dave Morriss
Next time music?
Thanks for mentioning PIUS. I received a few signatures from people using this after this year's FOSDEM.
I realise now what else was missing from the FOSDEM "conga" - music :-)
Comment #4 posted on 2014-05-17T21:31:30Z by Alison Chaiken
import existing keys from server into APG?
Has anyone figured out how to import existing public keys from a keyserver into APG? The help the app provides is quite limited. I don't see any advantage to creating a new key for my phone. Am I missing something?
Excellent series, Ahuka. I installed mailvelope as well.
Comment #5 posted on 2014-05-17T22:15:15Z by Alison Chaiken
not all keys appear in "encrypt for" list?
The list of keys I can encrypt for is much shorter than the list of keys I successfully imported. Anyone else have this problem? Restarting the browser did not help.
Comment #6 posted on 2014-05-18T09:30:50Z by Alison Chaiken
Mailvelope, APG and K9mail working!
It has taken me a couple of hours, but I have Mailvelope, APG and K9mail working on my Android phone as well as on my laptop. I finally figured out that there is a hidden tab that allows APG to import keys from keyservers. For K9mail, since I use two-factor authentication with gmail, I had to set up an "application-specific password." I put my secret key on my phone by MTPFS mounting it, copying the ASCII-armored secret key to Downloads folder, importing it into APG, and then remounting the folder to delete it.