[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: April Mumbai Debian Users Group Meetup

at bottom :-

On 4/22/15, sco1984@gmail.com <sco1984@gmail.com> wrote:
> On 21 April 2015 at 11:50, Rigved Rakshit <r.phate@gmail.com> wrote:
>> Yes, you are more than welcome to do so.
> I mean if you guys can club key signing party :-)

what do you mean by 'club' ?

> I don't have authority to issue the keys.

The WOT (Web Of Trust) isn't about debian at all but a much larger
idea. In any new place you go, one of the problems is that nobody
knows anything about you. Yes, you may have your passport  and other
identity information but is/should that be enough to say you are who
you say you are.  Maybe, maybe not. Also it's expensive.

The Web Of Trust is saying that x or y or z believes I am who I say I
am.  So somebody is trusting you as far as identity is concerned.  It
doesn't tell anything about your technical competence or inability for
the same. It is simply a trust model where you can use your public key
to sign a document/software etc. (either with encryption or without)
and the other person would know that it's you who sent that
document/software or whatever it is that you have signed.

Now can somebody forge papers/keys and break that trust model ?
Umm... I am not up-to-date with the various algorithms but this used
to happen in 2k3/2k4 era AFAIK (when pgp 2.x was the norm) but
nowadays don't think so, although my knowledge of GPG is far from
complete as it's a complex topic and I don't need to use it that much
in my every-day life so far.

Then why do people do it ?
I think it's an inherent need in people to have and show good faith in
others. Another reason is people like to brag how many people's keys
they were able to sign and in turn how many people signed on their key
(in a sort of quid pro quo). Also if you are an activist or a
potential whistle-blower or generally want to keep your communications
private from all and any govt. , private interest firms (behemoths)
like google, yahoo and others you should do it.

Lastly, who can issue/generate keys ?
You. You don't need a bank or govt. or anybody else. What you just
need is a bit of modern hardware (anything from last 5 years or so
should do ), preferably a GNU/Linux system (or BSD or basically any
Operating System) , as recent a version of GPG and as good a key you
want to make. AFAIK 4096 is the current standard but you can go as
high as you want, the more bigger the number, the more time it will
take you to generate it and there might be issue that people may have
not access of similar hardware so what length to have is usually based
by consensus.

While I did explain all the above, a much better explanation can be
found out at http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#overview

> Regards,
> Amey.

          Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8

Reply to: