Hybrid keysigning party, your opinion?

Stephan Beck stebe at mailbox.org
Thu Dec 8 13:00:00 CET 2016


Lachlan Gunn:
> Le 2016-12-08 à 08:14, Stephan Beck a écrit :
>> Doesn't your proposal imply that late attendees could
>> make their way through all the keysigning without fingerprint
>> verification? Or do I miss something?
> If I understand correctly, the late attendees still get a copy of the
> fingerprints after the fact, they just don't have it on their sheet of
> paper.  The fingerprint-less piece of paper just lets them keep a record
> of who they have verified, and gives them a hash of the list that does
> have the fingerprints, which they can compare with the people who were
> ready beforehand (to make sure that the fingerprints have been verified
> by the identity holders).

yes, they still get the original file from the organizer afterwards,
that's true.

caff automatically checks the fingerprint on import (before mailing out
each of the signed keys/UID), so there's no way of tampering. If they
hadn't those fingerprints (or the original file/list), caff would not
let them go on.

Quote from README.many-keys

$ caff <options> <ksp-annotated.txt

caff will ignore participants for which both the "ID" and
  "Fingerprint" checkboxes are not *both* marked with an 'x'.
  (Moreover, keys are selected using their 40-hex digits fingerprint,
  which must be present in the list.)

Nevertheless, they can go through all the key-signing (event) without
directly verifying fingerprints (although they do have sufficient
cryptographic or computational evidence via checksum that others have
indeed done so); even though I don't see any way of cheating, in Peter's
proposal, I find that this aspect is remarkable.
More remarkable, however, is the fact that he tries to include people
that on other occasions are being treated as second-class participants.
If I could be there I'd really like to participate and help (no "angels"
needed, Peter? Tickets are sold out! ;-)
> I've actually thought of doing an electronic keyslip program for mobile
> phones/tablets that would let you build the list electronically using QR
> codes or NFC, or maybe doing it via the hash-on-the-projector method for
> maximum speed.  Then you could just download the file to your signing
> machine and let CAFF do its thing.
> Would this interest anyone?  Does the idea have flaws that I'm blind to?

Yes, to your first question. How you would do that via the
hash-on-the-projector method, is not clear to me, though. Would that be
for generating the (initial) list of the organizers as in Sassaman
Efficient (as an additional service for people using cell phones or
tablets)? Or wouldn't there be any paper copy at the event?
Sorry, for questions that might seem obvious to you.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161208/b37a0d0d/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161208/b37a0d0d/attachment.sig>

More information about the Gnupg-users mailing list