ANNOUNCEMENT: BAD meeting 2004-06-09 (keysigning and protocols)

Michael Paoli Michael.Paoli@cal.berkeley.edu
Wed, 9 Jun 2004 05:26:22 -0700


Vineet Kumar <vineet@doorstop.net>,

To the extent feasible, you may wish to leverage as much of key singing
protocol (e.g.:
http://sion.quickie.net/keysigning.txt 
) as possible for the 2004-06-09 BAD keysigning event.
To leverage the above mentioned protocol as much as feasible for this
event (at least as keys may still be flowing in a bit late, and not   
everyone may be familiar with the protocol), I might suggest "tweaking"
the above described protocol as follows:
wait as long as is reasonably feasible for you to collect and
(pre)process keys prior to the meeting as described here,
prepare hardcopy information about the keys thusly:
prepare sheet analogous to description on URL above,
on that sheet, have secure hash (MD5 or SHA-1) printed on the top or
bottom extreme edge of the sheet (if multiple sheets are necessary,
provide in that space, hash and "page n of N" (where N is total number
of pages to one set of sheets, and n indicates page of set), provide
other relevant (necessary and sufficient) information on the sheet
necessary for participants to check off person's key IDs (at least
name, key IDs, fingerprints - fingerprints generally wouldn't be
verified individually or as a group at the event, except via
verification of all data on each sheet (or sheet set) via the secure
hash value.  Since folks may not be familiar with the protocol (e.g.
http://sion.quickie.net/keysigning.txt) explain how it works at the
beginning of the event.  As folks pick up sheet (or sheet sets), have the
sheets lined up such that folks can inspect that the secure hash printed
on each and every sheet are all the same prior to picking up sheet (or
sheet set) - that and/or one person can read off the secure hash value
and everyone can verify that's what's printed on their sheet (or sheet
set).  Keysigning event would mostly proceed as described in
http://sion.quickie.net/keysigning.txt, however folks could then later
verify that secure hash obtained from keysigning event matches publicly
available file (which participants could independently check later).
Publicly available file must of course match that secure hash, and all
information provided on the sheet (or each set) must match to
information provided in the file (e.g. key IDs, names, fingerprints, any
other information provided on the sheets, which is or appears derived
from the keys, etc.).  (Sheet could also contain additional supplemental
information that wouldn't be easily confused with data from keys or 
secure hash value for publicly available file, such as relevant URL(s)
for file, protocol, etc.).

Key (figuratively speaking) advantage of use of
http://sion.quickie.net/keysigning.txt plus tweaks I mention here is it
has the advantages of http://sion.quickie.net/keysigning.txt (mostly
avoid everyone reciting and checking everyone's fingerprint for each
key at the event), while having the advantage that folks don't have to   
verify much information in advance of the event (e.g. just match secure 
hash at event to agreed upon value, individuals check off participants
on the sheet (or set) as they acknowledge their data on the sheet (or 
sheet set) is correct (without verbally reciting fingerprint data to the
whole group) and then there is the customary in-person part of "Identity
verification is done according to the individual policy of those people
signing keys").  Folks can then later verify that secure hash from sheet
(or sheet set) matches publicly available file, and that all data   
presented on the sheet which appears to be from keys matches data from
publicly available file.

Oh, if necessary, there are photo copy places available within a few
blocks or so (possibly less) of the event location.

Quoting Vineet Kumar <vineet@doorstop.net>:

> * Vineet Kumar (vineet@doorstop.net) [040529 01:49]:
> > I will be organizing a PGP key-signing.  If you would like to
> > participate, please send me your OpenPGP public key at least 24 hours
> > before the meeting.
> 
> I'm generating a table to be used for keysigning, which is available at 
> 
> http://www.doorstop.net/bad-keysigning
> 
> As you may notice; it's very small so far.  Let this serve as a reminder
> to any procrastinators to send me their keys, as the meeting is
> tomorrow.  I'm not anal about the 24 hours I requested; I'll include any
> keys I receive before whenever I print the list out tomorrow.  Of
> course, you can participate in the signing even if your key is not on
> the list.  (Bring your fingerprint if you want to get signatures, or
> just get a copy of my list to just sign others' keys.)