Hybrid keysigning party, your opinion?

Stephan Beck stebe at mailbox.org
Thu Dec 8 14:14:00 CET 2016

Peter Lebbing:
> Stephan and Lachlan, thank you for thinking about this! I need to make a
> decision soon, I really need feedback!
> On 07/12/16 22:44, Stephan Beck wrote:
>> Doesn't your proposal imply that late attendees could
>> make their way through all the keysigning without fingerprint
>> verification? Or do I miss something?
> The normal attendees also don't do any fingerprint verification *at the party*.
> At home, before the party, they checked their own fingerprint, and generated the
> SHA256 checksum for the file they got. At the party, everybody together checks
> the SHA256 checksum by simply reading aloud each and every digit.

Yes, Peter, but they are the "ordinary" participants who went through
the preparation, and then state (at the event) that the checksum is
{checksum} and that the corresponding fingerprint on the list is theirs
and that it is correct ("check out"). The others (late attendees) just
hand out their keyslip (keyslip is just an "unverified statement"),
receive the keyslip from the other, together with the fingerprint-less
list they have, and postpone the verification to the moment when they
are at home and have been sent the list from the organizer. By that
time, the other ("Sassaman's Efficient ordinary participants") can
already be sure of the integrity/authenticity of the messages of their
communication partners and that partner's true identity.

Just some meditations:

So, the late attendees can see and hear that the ordinary participants
confirm the checksum and that their fingerprints check out?
One that was on the list and didn't show up would not get the required
marks on () fpr () id ? Would that person be (as uid-serial number, 001,
002, 003...) on the attendee's fingerprint-less list? But that person
definitely would not end up as a person being included in the final
list? That might produce inconsistencies in numbering. So the final list
just would not include some serial numbers that once were on the
"initial" list or the fingerprint-less list? Then, by checking serial
numbers, as you say, it's ok :-)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161208/80ca7f51/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161208/80ca7f51/attachment.sig>

More information about the Gnupg-users mailing list