[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fsuk-manchester] SFD09 – The final call for v olunteers

From: Leslie I'Anson
Subject: Re: [Fsuk-manchester] SFD09 – The final call for v olunteers
Date: Fri, 18 Sep 2009 17:29:00 +0100

Personally, I agree with Robert here, SFD is not the place to hold
workshops but signing keys is up to you. I think where Simon got
confused is with regards to the subject line of these emails, which
came about because Robert initially contacted me by replying to the
call for volunteers.

Anyway, I don't want to forgot about the MDDA because Micheal and I
are planning to hold workshops there in the future, which is why I was
suggesting it to Robert. Btw, I for one am really keen on
understanding some more of the theory behind key generation, signing
and the web of trust and I'm sure others are too.

Thank you both for you input. We'll talk more about this after or at SFD.

Bye for now,

On 18/09/2009, Robert Burrell Donkin <address@hidden> wrote:
> On Thu, Sep 17, 2009 at 6:15 PM, Leslie I'Anson <address@hidden>
> wrote:
>> On 17/09/2009, Robert Burrell Donkin <address@hidden>
>> wrote:
>>> On Thu, Sep 17, 2009 at 1:52 PM, Simon Ward <address@hidden> wrote:
>>>> On Thu, Sep 17, 2009 at 12:26:37PM +0100, Robert Burrell Donkin wrote:
>>>>> given the progress made on breaking SHA-1[3], i'm very keen to swap my
>>>>> new openpgp code signing key with others in the FOSS web of trust. if
>>>>> there are people interested, i'd be happy to do key signing party (if
>>>>> there isn't one already) or talk people through how to set up GnuPG[4]
>>>>> to generate strong keys and strong links in the WOT[4][5].
>>>> I’m happy to join in and help with this.
>>> cool :-)
>>> what's be the best way to get organised? are there enough people with
>>> keys to do a formal party? or would something ad hoc be better?
>>> - robert
>> My advice would be to hold a workshop (or two) first. Then numbers
>> won't be so much of a problem.
>> On proposal would be:-
>> Workshop 1 - Introduction to the technology and tools, etc. (ie. theory +
>> demo)
>> Workshop 2 - Generating keys, etc. (ie.putting theory into practice)
> the theory's a bit dull and requires a lot of technical terms to be done
> right
> i think that a single hands-on workshop would probably work better. if
> enough people bring along laptops then we can break into small groups
> clustered around those laptops and play around with demo keys based
> around some practical problems.
> it'd probably be more fun than listening to myself lecture on prime
> number theory for a couple of hours ;-)
>> Reward - Key signing "party" (ie. lots of people we new keys to sign)
> any key signing party needs to be a separate event (for security
> reasons). the only demo keys not intended for distribution should be
> used at a workshop. but yes, i can organise a formal key signing party
> after the workshop.
> i would like to try to meetup with anyone who already uses OpenPGP
> since the benefits of signing a key depend on how connected that key
> is
> suppose Alice is well connected to the Apache WOT. then most Apache
> release managers will be linked within the three steps that a typical
> trust model uses. Suppose Bob is not well connected. if Bob can verify
> Alice's identity and key fingerprints in person then Bob can verify
> the vast majority of Apache releases.  Alice gains only the ability to
> verify signatures from Bob in return. Bob gains a lot from this
> exchange and Alice very little.
> suppose now that Dawn is a well connected Debian maintainer. when
> Alice and Dawn meet personally and verify each other keys the gain is
> high. everyone within two hops of Alice is now connected to everyone
> within one hops of Dawn and vice versa. this is a big gain for the
> my new key is well connected to the Apache WOT through the old key
> one. i'll have my passport and cards with my key fingerprint on.
> anyone how wants to be able to sign my key so they can verify Apache
> releases (and many other FOSS signatures too) is more than welcome to
> take a look and a card. they don't even need to have a key now: if
> they keep the card safe then they can safely sign at any time in the
> future.
> if there are going to be people with existing keys there, maybe we can
> pick a time to meetup...
> - robert

http://www.fsf.org/ Support The Freedom!

reply via email to

[Prev in Thread] Current Thread [Next in Thread]