Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

OpenPGP Meetup 24

An anonymous reader writes "Please mention the upcoming OpenPGP meetups, http://openpgp.meetup.com/. getting crypto out there into the mainstream is the only defence we have from outside interference." Consider it mentioned. I don't really know how getting together at local bar or whatever brings crypto "into the mainstream", but maybe you can sign the bartender's key or something.
This discussion has been archived. No new comments can be posted.

OpenPGP Meetup

Comments Filter:
  • I don't really know how getting together at local bar or whatever brings crypto "into the mainstream", but maybe you can sign the bartender's key or something.

    Umm...network effects from keysignings, which (to be technically accurate) require in-person identity verification?

    I never really went out for that much effort. If I've emailed a person back and forth a few times, and their email address is on their web page, I pretty happily sign their key. PGP should be *useful*, not an anchor around one's neck
    • This brings up an interesting issue. As far as I can tell, key signing is only useful for connecting an electronic identity (the PGP key) with a physical identity (the actual person involved).

      When one's working a lot with people from all over the globe via the internet, and you're never going to meet most of them, you can't really make this connection. However, there could be other useful connections to make.
      For example, once I've emailed with the creator of software Foo a number of times, I do know that h
      • No real reason you have to link a real life name to a PGP key.

        Just an email address...that's all you really need.

        For example, Red Hat signs their RPMs with a GPG key that isn't used for sending mail or anything else.
  • Hello Drunk Person, I am also drunk.

    Sure, I didn't know you 3 hours ago, but after a few rounds, I'll sign your key right away!

    • Hopefully this should not be a problem. If you're drunk enough to be willing to sign someone's key without properly verifying everything, then you're probably too drunk to type your passphrase. You're certainly too drunk to read the 'gpg -h' output and remember what the command line switches are. You're more likely to end up signing a copy of some sensitive file and sending out to all your friends.
  • If there is one reason where Crypto-folks have failed, it's in explaining why key-signing is important to non-Crypto-folks. My friend signs the key of some stranger he met at Starbucks in Alameda. Why should I care?

    I've had a PGP key for about 8 years, and it's been used by others to send a sekret mezage to me less then a dozen times. Off of the top of my head , I can think of dozens of people who have a Key, and only 1 other person who does have a key.

    Why is this important? Why should I care?
    • -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      High level overview here.

      E-mail sent via SMTP is the electronic equivilant of a postcard. Anyone handling the message en-route can read it in clear text. But because it is digital, the likelihood of it being read by at *least* a 'bot (like Carnivore) is quite high.

      The other major problem with e-mail is accountability; how do I know who this message *really* came from?

      OpenPGP implementations like PGP and GnuPG address both of these issues.

      You can encrypt a
    • Why is this important? Why should I care?

      A plaintext email can easily be read by anybody who wants to read it, and emails aren't at all hard to spoof, either. PGP provides a way of verifying that the email you are reading was in fact written by the person who claims to have written it (assuming it's signed and you trust their key), and that nobody else read it inbetween his writing it and your reading it (assuming it's encrypted).

      Sure, it might not matter much to you if John Q. Hax0r reads your correspon
  • by CustomFort ( 643959 ) <MarkNO@SPAMReitblatt.com> on Friday April 11, 2003 @05:00PM (#5713619) Homepage Journal
    Me: Hey barkeep, pour me a
    -----BEGIN PGP MESSAGE----- Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com qANQR1DBwU4Dycxpn5YWMKIQB/4jcQBenjBJUnUCg4BX7mSmJv fxGmKk4DaBoYCT mYyN2Psw/BF/vzodvEzX+BpbdFuhnDd4p5QQ0G9JMWlkAkmVPQ ZX4TWKN4Lmdpm7 Eu6x6tWRC+nSJze7+NfxX8mx/TyuhNKMucqEIfxut795ehc4Dz CBKqUsedWAa4XZ 1/T2mrLjCf5lhP4g26fFnXZvm2ME4SY3UM+HHAQmXABnuq5058 1owfCYfgXgc9Iu jRdlzhC/2VCHXgoy9e7FIquycedSyZWWTC4TI0YFbNJ0CW1L8e JF1AXwdzziWqsD KOu6Dkc6LGp9NEQTE4rCT95PNBvA8h2CvpS+nyW8dCYiyliMB/ 961qqP5+txodPM 8mpq3ZsOpZJ851BXjCfUsv5JcFa7eYQ/qdYnCw01fjcl2yPuWW Di+rgOCrZGCDyQ NX+2/X7evJZXKfX2EceHS0jX7LEQYY+jJ1QQS/NxL8DQOm+CKj 1STaj9zFlZiecF a6/XVCJn44pxbus0+deCH4tutBSZIMfZECYcPGPnSNG/dSRg/D uI73zlLW/Rq0w8 KnF6vvOibrodT7caa//ZSfQpcqUf5YAdncPTi02P+rS92ajQu6 j2q8SFh6HLI45R iK08HZNoy0ERg/Iy+L+AXn1Nvzs6PfrMEuV1LHQsIfi46Uoecs TZFqWOAcUKJ61h Esw0WHdsySjhQlfzNB4g8+Tp/m36kr7D3UdJi4nc/BYf8rwmen RX8k+tXXpcEjrb =m8C5 -----END PGP MESSAGE-----

    BarKeep: That'll be
    -----BEGIN PGP MESSAGE----- Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com qANQR1DBwU4Dycxpn5YWMKIQB/4hSvhixkEZ+CYj4Ow+8fK+D4 EpBEqRFdiL09S6 XFVufOEDllOtctm4M/E7g2fu7znPc25b1sSNwOsMofcyXvQ5Sj PV7oo3Q4kEA+rz +dVt260nxrXQjxuSsl6kx6rxdoPii+jMyv7PH/ZDluDwOFDQB+ efs9NdYuwUnBB7 yBj6/9Fu+16uAQuY+Dnlia6kub9XNVGuH3dlgvYnDmT1Lk22a4 eKara0HBd4ZEV4 d3ObqK2uXjQfyvKbxQaIP3aNEFu/dpwkmKueIS7bW4YVeZpllb xFms2ORwKUpU8Z 5zEQnwax9KI9NFhQbMgiQzrYdUEi7GTtKdo0NIwGo04bhBsRB/ wIvYheeDy0JSvP 1swLLDVNzChvSwfJUoNZJPopJaA5VNx6S5gb5xZBy7krieCru+ Ll/FDHAUL08c2c ebURo1TYIK18jLxgXqdn0dVreNy1wdHOjEQcdo/eYY/2W6Z5SS yyUOrDUU+mO5RS yBrHo42JT/nlh+r5Ylq+KUeuvkZBamO1ITAVpuByrTFQsIShxB PdsWettSmjeM4v RabkYNO05GLxPI1DCPJrApDu1741ilKXj1FmqxKFzvPn+YypaY B7nNIzLyhAduiK H9I1gklvDmH3Ht/7OeZo4gGe7xO+K7AHz9oUdaKo/gC5do8eLe ExY8Nihx+ct02L u7+e5GOxySWpPzHvDd8rOcB2u566WlbYMcb5t/i6735sHRWjTt O9NoY0NOx2 =g4ea -----END PGP MESSAGE-----
  • by hrarbinger ( 635808 ) on Friday April 11, 2003 @05:31PM (#5713817)
    Although the web page is sparse on details (I might go so far as to say completely devoid) this isn't a bad idea. Getting folks together to develop a web of trust is the whole point of the PGP model. The more people who have signed your key, the more likely you and someone you don't know will have a common person that you both do know who has signed your keys. Without ever directly meeting them, you can put your trust in the common associate and send encrypted messages or verify digital signatures.

    The problem is doing PGP signing the right way. I really suggest anyone attending one of these events take a look at web pages that describe "PGP Key Signing Parties" (just google, you'll find a bunch) to get the idea. In brief, to be absolutely sure that you trust a key belongs to someone, you need to verify the following:

    1. The key ID (2BCA871D for example)
    2. The key type (DSA, RSA, etc)
    3. The key bits (768, 1024, 2048)
    4. The key fingerprint (A028 82B4 14CC ...)
    Any one of these items can be forged while maintaining the others, so you need to verify them all.

    Now, the hard part is how do you verify that this human who has brought these bits of data is the actual human associated with the key? You can check their driver's license and things like that. But of course this is where it's much better to only sign keys of people you know, rather than just total strangers.

  • by mcelrath ( 8027 ) on Friday April 11, 2003 @07:55PM (#5714413) Homepage
    Don't bother kids. Only 56 people worldwide have signed up, and you have to agree to a 30-odd page "Terms of Service" to figure out where and when. That's just fucking ridiculous. I don't need a stupid terms of service to buy a beer with some crypto geeks.

    You'd think with all the talent out there someone would have written a quick CGI to do this, rather than using a commercial service (meetup.com).

    -- Bob

Talent does what it can. Genius does what it must. You do what you get paid to do.

Working...