On Thu, Jun 16, 2022 at 05:39:53AM +0200, Dashamir Hoxha wrote: > On Tue, Jun 14, 2022 at 12:28 AM Gunnar Wolf <gwolf@debian.org> wrote: > > > > > Most of you are aware that the keyserver network is currently in a > > quite weak status; please ensure we can find your updated keys at > > several different keyservers (at least, by uploading them); I suggest > > you try something like the following: > > > > $ export MY_KEY=0x2404C9546E145360 # Naturally, your key goes here > > $ for i in pgpkeys.eu pgp.surf.nl pgp.pm keyserver.ubuntu.com > > the.earth.li > > > do > > > gpg --keyserver $i --send-key $MY_KEY > > > done > > > > Here are my public keys: > https://cloud.fs.al/s/wrer7jXfF4EtZot/download/9EAA95B4E9731B6B757ACD629229692B9A5D205A.pubkey > https://cloud.fs.al/s/m4GSibeESJA3enk/download/18931AB4720C1EA3C28B95B3775FB44C0C6AD08D.pubkey > > I'd suggest that we try a keysigning party without keyservers this time. It > should not be very difficult. > The issue is not whether the keyservers will be up during the conference or > not, rather it is that the keyserver model seems to be broken and should be > avoided/abandoned. > About the WKD, if it does not support well keysigning and WoT, maybe it > should be improved to support them. > The ideal solution, in my opinion, would be to start using self-sovereign > identity, but we are not there yet. > > To sign public keys without keyservers, as far as I can understand, the > steps would be like these: > 1. The coordinator collects all the public keys of the participant in a > keyring and shares this keyring with all the participants (Gunnar has > already mentioned that he is going to do this). > 2. Each participant verifies physically some other participants and marks > their fingerprints on the list, in order to sign them later. > 3. Using the shared keyring and his private key, he signs each verified > key, exports the key, encrypts it with the signed public key, and sends it > by attachment to the corresponding owner. > 4. The owner of the signed key decrypts it (which also verifies that he > owns this key), and imports the signature on his key. > 5. The owner of the key may publish the updated key, which includes the new > signatures. Re-publishing can be done by WKD, by uploading it somewhere, > sending it by attachment, etc. Your step 1 imposes an arbitrary amount of work on the person running the keysigning, as they have to manually download keys from random locations, instead of running a simple for loop over the fingerprints collected from the DebConf22 registration data to fetch them from keyservers.
Attachment:
signature.asc
Description: PGP signature