Site Map - skip to main content

Hacker Public Radio

Your ideas, projects, opinions - podcasted.

New episodes every weekday Monday through Friday.
This page was generated by The HPR Robot at


hpr1500 :: Key Signing

Ahuka and Tony Bemus discuss key signing and how you build a web of trust.

<< First, < Previous, , Latest >>

Thumbnail of Ahuka
Hosted by Ahuka on Friday, 2014-05-02 is flagged as Clean and is released under a CC-BY-SA license.
public key encryption, GPG, keyring, key signing, Mailvelope. 6.
The show is available on the Internet Archive at: https://archive.org/details/hpr1500

Listen in ogg, spx, or mp3 format. Play now:

Duration: 00:28:53

Privacy and Security.

In this open series, you can contribute shows that are on the topic of Privacy and Security

One of the issues in using public key encryption is ensuring you know who you are communicating with, and that you have correctly matched the owner to the key. Otherwise, your communication could be intercepted and decrypted by a third-party. The way we solve this problem is with key signing, which is often done at key signing parties. We discuss all this with Tony Bemus of the Sunday Morning Linux Review.

Links:


Comments

Subscribe to the comments RSS feed.

Comment #1 posted on 2014-05-09 17:31:12 by Bert Yerke

I attend the key-signing party at SCaLE every year. Phil Dibowitz usually hosts and has done so for many years. He recommends not to do any actual signing at the party but rather use a worksheet to verify the keys and then follow up at home or in your hotel room) after the party. First each participant reads his/her fingerprint while the rest of us check it off on the list. Then we form a "conga line" to verfy identity with some form of picture ID. Passports are the most trusted form of ID.
There is more information at Phil's website:
https://www.phildev.net/pgp/gpgsigning.html
He also has a program to do some of the heavy lifting:
https://www.phildev.net/pius/
PIUS can be used to manage the party and to follow up after. It is a nice way to process each of the new keys, requiring intervention only to set validation level and it also mails the signed key to the owner automagically.

Hope that helps,
Bert

Comment #2 posted on 2014-05-10 07:35:07 by Ken Fallon

Conga line fail ?

Hi Bert,

You might want to also listen to https://hackerpublicradio.org/eps.php?id=1461 where Dave reports on his experiences in a conga line.

Ken.

Comment #3 posted on 2014-05-15 15:10:45 by Dave Morriss

Next time music?

Hey Bert,

Thanks for mentioning PIUS. I received a few signatures from people using this after this year's FOSDEM.

I realise now what else was missing from the FOSDEM "conga" - music :-)

Dave

Comment #4 posted on 2014-05-17 21:31:30 by Alison Chaiken

import existing keys from server into APG?

Has anyone figured out how to import existing public keys from a keyserver into APG? The help the app provides is quite limited. I don't see any advantage to creating a new key for my phone. Am I missing something?

Excellent series, Ahuka. I installed mailvelope as well.

Comment #5 posted on 2014-05-17 22:15:15 by Alison Chaiken

not all keys appear in "encrypt for" list?

The list of keys I can encrypt for is much shorter than the list of keys I successfully imported. Anyone else have this problem? Restarting the browser did not help.

Comment #6 posted on 2014-05-18 09:30:50 by Alison Chaiken

Mailvelope, APG and K9mail working!

It has taken me a couple of hours, but I have Mailvelope, APG and K9mail working on my Android phone as well as on my laptop. I finally figured out that there is a hidden tab that allows APG to import keys from keyservers. For K9mail, since I use two-factor authentication with gmail, I had to set up an "application-specific password." I put my secret key on my phone by MTPFS mounting it, copying the ASCII-armored secret key to Downloads folder, importing it into APG, and then remounting the folder to delete it.

Useful links:
https://www.minertechsolutions.com/blogs/how-to-configure-your-android-phone-with-gmail-using-k-9-mail-more/

https://android.stackexchange.com/questions/54559/how-do-i-setup-a-gmail-account-with-2-step-verification-in-k-9-mail

Leave Comment

Note to Verbose Commenters
If you can't fit everything you want to say in the comment below then you really should record a response show instead.

Note to Spammers
All comments are moderated. All links are checked by humans. We strip out all html. Feel free to record a show about yourself, or your industry, or any other topic we may find interesting. We also check shows for spam :).

Provide feedback
Your Name/Handle:
Title:
Comment:
Anti Spam Question: What does the letter P in HPR stand for?
Are you a spammer?
Who is the host of this show?
What does HPR mean to you?