Hi all,
It's been a while since a pubmeet had a write-up but I thought it was worth a go :)
On a suggestion from rlp10, last night ended up being somewhat of a PGP key-signing party. All of us around the table (there were 6 of us) - plus one passer-by that I happened to know - had PGP (or rather GPG) keys so, over the course of the night, we managed to each sign eachothers keys. There was even provision of ID and encrypted emails sent to verify identity and key ownership. A fairly textbook key-signing I'd say.
Additionally, we collectively managed to get a sensible mutt config together for getting GPG integrated and working.
For reference, the magical invocation to make mutt understand encrypted/signed mail from Macs and Thunderbird is: message-hook '!(~g|~G)~b"^-----BEGIN\ PGP\ (SIGNED\ )?MESSAGE"' "exec check-traditional-pgp"
Stick that in your .muttrc and it all works nicely. (You need a `source /path/to/muttrc.gpg`) line in there somewhere too. The path varies by distro.)
Aside from the PGP-related fun, katsmeat had brought an interesting old PC that had a built-in LCD display and ran Microsoft BASIC (I don't remember what the machine actually was) and I offloaded a load of old hardware onto rlp10 \o/
The food didn't seem as good as usual.
The beer did.
Until next month!
Steve (Stilvoid)
Thanks Steve for the report.
On Fri, Jul 13, 2012 at 04:56:44PM +0100, Steve Engledow wrote:
On a suggestion from rlp10, last night ended up being somewhat of a PGP key-signing party. All of us around the table (there were 6 of us) - plus one passer-by that I happened to know - had PGP (or rather GPG) keys so, over the course of the night, we managed to each sign eachothers keys. There was even provision of ID and encrypted emails sent to verify identity and key ownership. A fairly textbook key-signing I'd say.
Are there other list members who use GPG? It would be good to extend the web of trust beyond the regular pub attenders.
Richard
On Sat, 14 Jul 2012 23:04:48 +0100 richard.lee.parsons@gmail.com allegedly wrote:
Are there other list members who use GPG? It would be good to extend the web of trust beyond the regular pub attenders.
Richard
I use it.
Mick
--------------------------------------------------------------------- blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 ---------------------------------------------------------------------
On Mon, Jul 16, 2012 at 12:22:43PM +0100, mick wrote:
On Sat, 14 Jul 2012 23:04:48 +0100 richard.lee.parsons@gmail.com allegedly wrote:
Are there other list members who use GPG? It would be good to extend the web of trust beyond the regular pub attenders.
Richard
I use it.
Mick
I'm still pretty new to this, but understand that I'm meant to see government ID to confirm the identify of the person and also check that they can sign/decrypt with the key.
Are you local to Norwich, in which case maybe we can meet at lunchtime one day if we're both in the city. If not, maybe I should make my way over to another ALUG meeting sometime. Isn't there one in Ipswich tonight? Do you go to those?
Thanks Richard
On Mon, 16 Jul 2012 12:26:57 +0100 Richard Parsons richard.lee.parsons@gmail.com allegedly wrote:
I'm still pretty new to this, but understand that I'm meant to see government ID to confirm the identify of the person and also check that they can sign/decrypt with the key.
Up to you to decide what form of ID is "sufficient" for your purposes. Obviously a photo id (such as a passport or driving licence) issued by an authority both parties trust is preferable to something less rigorous, but bank cards or any such signature based id are also often acceptable. The point is, the policy ought to be established first and published so that later entrants to the party know what level of rigour is/was applied. In my view, there is little point in my insisting on you showing me your passport, if prior signings have been less rigourous.
You also need to decide /why/ the key signing exchange is necessary. You don't actually /need/ a web of trust for secure exchange of emails (which is what I use GPG for). I publish my public key both on keyservers and on my own blog. If someone wants/needs to send me secure email they can do so. If they then send me their public key I can do the same in reverse. It is up to me to assign the level of trust I place in that key. That trust level usually depends on how long (and in what context) I have known the owner.
Are you local to Norwich, in which case maybe we can meet at lunchtime one day if we're both in the city. If not, maybe I should make my way over to another ALUG meeting sometime. Isn't there one in Ipswich tonight? Do you go to those?
I don't go to any of the meetings. If you want to meet up sometime for an exchange, by all means suggest some dates. I can make a lunchtime in Norwich.
Mick
--------------------------------------------------------------------- blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 ---------------------------------------------------------------------
On Mon, Jul 16, 2012 at 04:29:29PM +0100, mick wrote:
On Mon, 16 Jul 2012 12:26:57 +0100 Richard Parsons richard.lee.parsons@gmail.com allegedly wrote:
I'm still pretty new to this, but understand that I'm meant to see government ID to confirm the identify of the person and also check that they can sign/decrypt with the key.
Up to you to decide what form of ID is "sufficient" for your purposes. Obviously a photo id (such as a passport or driving licence) issued by an authority both parties trust is preferable to something less rigorous, but bank cards or any such signature based id are also often acceptable. The point is, the policy ought to be established first and published so that later entrants to the party know what level of rigour is/was applied. In my view, there is little point in my insisting on you showing me your passport, if prior signings have been less rigourous.
I had thought that the idea was that a person should always have the same minimum standarding for signing. That way, if you trust me, and you trust my criteria for signing other keys, you can trust the keys that I have signed. For that purpose it seemed to me to be a good idea to set a minimum personal standard, irrespective of the standards used by others.
You also need to decide /why/ the key signing exchange is necessary. You don't actually /need/ a web of trust for secure exchange of emails (which is what I use GPG for).
Yes, if I've understood correctly, the main point of a web of trust is to be more sure that the public key is the right one. Anyone could create a public key for your email address, or for a very similar email address, and publish it. However, if I can see that several people I trust have signed your key, I can have more confidence that I've gotten the proper public key for you.
Thanks Richard
On Sat, Jul 14, 2012 at 11:04:48PM +0100, richard.lee.parsons@gmail.com wrote:
Thanks Steve for the report.
On Fri, Jul 13, 2012 at 04:56:44PM +0100, Steve Engledow wrote:
On a suggestion from rlp10, last night ended up being somewhat of a PGP key-signing party. All of us around the table (there were 6 of us) - plus one passer-by that I happened to know - had PGP (or rather GPG) keys so, over the course of the night, we managed to each sign eachothers keys. There was even provision of ID and encrypted emails sent to verify identity and key ownership. A fairly textbook key-signing I'd say.
Are there other list members who use GPG? It would be good to extend the web of trust beyond the regular pub attenders.
If you're going to do key-signing can you all update to "strong" keys please (ie something that's at least 2048 bits in size and uses a hash from the SHA-2 family; there are quite a few 1024D/SHA-1 keys in use it seems). If you're not sure how to generate one the instructions at:
http://keyring.debian.org/creating-key.html
might be helpful.
(In the event I turn up to an ALUG at some point I'm happy to cross sign with people but don't hold your breath on that.)
J.
If you're going to do key-signing can you all update to "strong" keys please (ie something that's at least 2048 bits in size and uses a hash from the SHA-2 family; there are quite a few 1024D/SHA-1 keys in use it seems). If you're not sure how to generate one the instructions at:
Good thinking Noodles.
I've generated a new key F3C186D1 (fingerprint 8327 7F9B 98AF 5D29 EDC2 A42B BFF7 1C0A F3C1 86D1) and attached it to this email.
I've signed it with my old key and signed this email with my old key so that should be enough for you to trust it.
If not, here's a block of text which I've signed with the new key :)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hello, world!
Cheers all, Steve
On Mon, Jul 16, 2012 at 10:54:11PM +0100, Steve Engledow wrote:
If you're going to do key-signing can you all update to "strong" keys please (ie something that's at least 2048 bits in size and uses a hash from the SHA-2 family; there are quite a few 1024D/SHA-1 keys in use it seems). If you're not sure how to generate one the instructions at:
Good thinking Noodles.
I've generated a new key F3C186D1 (fingerprint 8327 7F9B 98AF 5D29 EDC2 A42B BFF7 1C0A F3C1 86D1) and attached it to this email.
I've signed it with my old key and signed this email with my old key so that should be enough for you to trust it.
If not, here's a block of text which I've signed with the new key :)
How does that convince me that your old key hasn't been compromised and the person who now has control of it isn't trying to present a new key as "you" that you then can't read?
(I'll sign your new key when I meet you in person and exchange fingerprints.)
J.
On 16/07/12 23:11, Jonathan McDowell wrote:
I've signed it with my old key and signed this email with my old key so that should be enough for you to trust it.
If not, here's a block of text which I've signed with the new key :)
How does that convince me that your old key hasn't been compromised and the person who now has control of it isn't trying to present a new key as "you" that you then can't read?
Ooh. How about a picture of me holding a printed copy of a new message signed by both keys? :D
Could be doctored I suppose.
In person I could be coerced into telling you it's my new key. Maybe /I/'m compromised. I wouldn't be surprised. Keanu Reeves certainly was.
Where's Elrond when you need him?
On Mon, Jul 16, 2012 at 03:11:04PM -0700, Jonathan McDowell wrote:
On Mon, Jul 16, 2012 at 10:54:11PM +0100, Steve Engledow wrote:
I've signed it with my old key and signed this email with my old key so that should be enough for you to trust it.
If not, here's a block of text which I've signed with the new key :)
How does that convince me that your old key hasn't been compromised and the person who now has control of it isn't trying to present a new key as "you" that you then can't read?
Would Stilvoid's logic be sufficient if you had previously trusted the old key? Yes, the original key could have been compromised, but then I trusted that already. So if I trust a new key, which he has signed with the old key, then I don't think I'm extending my trust any further than it already was, right?
Richard
On Wed, Jul 18, 2012 at 05:39:50PM +0100, Richard Parsons wrote:
On Mon, Jul 16, 2012 at 03:11:04PM -0700, Jonathan McDowell wrote:
On Mon, Jul 16, 2012 at 10:54:11PM +0100, Steve Engledow wrote:
I've signed it with my old key and signed this email with my old key so that should be enough for you to trust it.
If not, here's a block of text which I've signed with the new key :)
How does that convince me that your old key hasn't been compromised and the person who now has control of it isn't trying to present a new key as "you" that you then can't read?
Would Stilvoid's logic be sufficient if you had previously trusted the old key? Yes, the original key could have been compromised, but then I trusted that already. So if I trust a new key, which he has signed with the old key, then I don't think I'm extending my trust any further than it already was, right?
But you are potentially affecting other people's trust. I want to send something to Stilvoid, but haven't signed any of his keys. I've signed yours. I see 2 keys for Stilvoid, one of which is signed by you and the other isn't, so I use the one I have a path to. If you've signed both I pick the stronger key. Suddenly I've sent Stilvoid something he can't read, but the attacker can.
If the attacker doesn't actually have the old key but was able to get it to sign the new key + transition statement then even worse the attacker can now read something they otherwise couldn't.
Yes, I'm getting a bit convoluted but I just don't feel entirely comfortable with transition statements that ask you to do the re-signing on the new key.
J.
On Wed, Jul 18, 2012 at 10:23:08AM -0700, Jonathan McDowell wrote:
If the attacker doesn't actually have the old key but was able to get it to sign the new key + transition statement then even worse the attacker can now read something they otherwise couldn't.
I think this is the crux of it. How could the above happen? If the attacked has signed the transition statement with the old key, hasn't he already compromised the old key? This is a sincere question, I'm open to be convinced.
If its possible to forge the signed transition statement, without compromising the old key, then there is merit to trusting the old key and not the new one. On the other hand, if you reach the conclusion that the only way to sign the transition statement is to compromise the old key, then you may as well trust the new key -- there is no significant risk of the new key being compromised although the old one is not.
Richard
On Fri, Jul 20, 2012 at 12:33:54PM +0100, Richard Parsons wrote:
On Wed, Jul 18, 2012 at 10:23:08AM -0700, Jonathan McDowell wrote:
If the attacker doesn't actually have the old key but was able to get it to sign the new key + transition statement then even worse the attacker can now read something they otherwise couldn't.
I think this is the crux of it. How could the above happen? If the attacked has signed the transition statement with the old key, hasn't he already compromised the old key? This is a sincere question, I'm open to be convinced.
If its possible to forge the signed transition statement, without compromising the old key, then there is merit to trusting the old key and not the new one. On the other hand, if you reach the conclusion that the only way to sign the transition statement is to compromise the old key, then you may as well trust the new key -- there is no significant risk of the new key being compromised although the old one is not.
What happens if the old key is compromised briefly? Eg it's a smartcard that's left inserted into a machine long enough to do the signature of a new key and a transition statement, but then removed and not available to the attacker any more?
Or even if the old key is completely compromised and the owner realises it and issues a revocation certificate but by that point the new key has been well signed and the owner has no way of convincing people to remove their sigs from that key (he's said not to trust the old key...).
J.
On Tue, 24 Jul 2012 14:24:08 -0700 Jonathan McDowell noodles@earth.li allegedly wrote:
What happens if the old key is compromised briefly? Eg it's a smartcard that's left inserted into a machine long enough to do the signature of a new key and a transition statement, but then removed and not available to the attacker any more?
I think that this is an extremely improbable scenario. For this to occur, you have to posit the attacker preparing a new key and transition statement in advance and holding those ready for the one moment that the key owner "forgets" that he/she has left the token inserted. That level of preparedness in anticipation of a possibly rare event seems to me unlikely unless the target is both hugely valuable to the attacker, and the attacker has very significant resources (particularly in time and personnel).
Personally, even I am not that paranoid.
Or even if the old key is completely compromised and the owner realises it and issues a revocation certificate but by that point the new key has been well signed and the owner has no way of convincing people to remove their sigs from that key (he's said not to trust the old key...).
Now that /is/ much more likely and a worrying scenario. But there are a couple of ways around this. Firstly, the transition statement should not seek signatures. Signatures for the new key should be obtained off-line in a secure manner. Secondly, if some reason, signatures for the new key must be obtained in a sub-optimal manner, then the transition statement should say something like: "Signers of my old key are invited to sign the new key once they have satisfied themselves that I am indeed the owner of this new key. Please note, that using either old or new key to verify my identity may be insufficient evidence if the old keys have been compromised."
But what does this really solve? If we are saying that we should not trust the new key, because the old key may be compromised, by the same logic we should not trust the old key at all. It may well have been compromised and no new key or transition statement issued.
Or am I missing something?
Mick
--------------------------------------------------------------------- blog: baldric.net fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
Note that I have recently upgraded my GPG key see: http://baldric.net/2012/07/20/gpg-key-upgrade/ ---------------------------------------------------------------------
On Wed, Jul 25, 2012 at 03:13:11PM +0100, mick wrote:
Now that /is/ much more likely and a worrying scenario. But there are a couple of ways around this. Firstly, the transition statement should not seek signatures. Signatures for the new key should be obtained off-line in a secure manner. Secondly, if some reason, signatures for the new key must be obtained in a sub-optimal manner, then the transition statement should say something like: "Signers of my old key are invited to sign the new key once they have satisfied themselves that I am indeed the owner of this new key. Please note, that using either old or new key to verify my identity may be insufficient evidence if the old keys have been compromised."
I am in favour of transition statements in general, the bit I object to is those which ask signers of the old key to sign the new key based only upon the transition statement. So I think at this point we're in agreement.
J.
On Mon, 16 Jul 2012 13:42:10 -0700 Jonathan McDowell noodles@earth.li allegedly wrote:
If you're going to do key-signing can you all update to "strong" keys please (ie something that's at least 2048 bits in size and uses a hash from the SHA-2 family; there are quite a few 1024D/SHA-1 keys in use it seems). If you're not sure how to generate one the instructions at:
http://keyring.debian.org/creating-key.html
might be helpful.
Good advice.
But that reference gives instructions for a new key, rather than migrating an existing key to 2048 bits SHA2.
This ref might help.
http://www.debian-administration.org/users/dkg/weblog/48
Thanks again.
Mick
--------------------------------------------------------------------- blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 ---------------------------------------------------------------------
On Tue, Jul 17, 2012 at 03:01:18PM +0100, mick wrote:
On Mon, 16 Jul 2012 13:42:10 -0700 Jonathan McDowell noodles@earth.li allegedly wrote:
If you're going to do key-signing can you all update to "strong" keys please (ie something that's at least 2048 bits in size and uses a hash from the SHA-2 family; there are quite a few 1024D/SHA-1 keys in use it seems). If you're not sure how to generate one the instructions at:
http://keyring.debian.org/creating-key.html
might be helpful.
Good advice.
But that reference gives instructions for a new key, rather than migrating an existing key to 2048 bits SHA2.
This ref might help.
The extra steps from dkg about the transition document etc aren't quite so relevant if you can get most of your signatures again by going to an ALUG pubmeet. ;)
J.
Richard asked:
Are there other list members who use GPG? It would be good to extend the web of trust beyond the regular pub attenders.
Yes, I do. I'm not often in the pub in Norwich because another group I like meets in King's Lynn on second Thursdays and that's 4 miles away instead of 44...
pub 1024D/E142E6F4 2002-06-09 [expires: 2013-07-10] Key fingerprint = B55E 1248 ADE6 9094 95BA C7E5 9946 397A E142 E6F4 sub 1024g/16E0A3CD 2002-06-09 [expires: 2013-07-10] sub 2048R/20BF6005 2012-07-17 [expires: 2013-07-17]
I'm happy to sign keys for ALUGgers who have been using the same identity for a while. I will not sign on a first meeting based only on state-issued ID. http://www.no2id.net/IDSchemes/whyNot
Regards,
-
Jonathan McDowell -
mick -
MJ Ray -
Richard Parsons -
richard.lee.parsons@gmail.com
-
Steve Engledow