Hybrid keysigning party, your opinion?

classic Classic list List threaded Threaded
30 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Hybrid keysigning party, your opinion?

Peter Lebbing
Hi all,

In just a few weeks, the 33C3 will be held in Hamburg, the 33th Chaos
Communication Congress organized by the Chaos Computer Club. I intend to
organize a keysigning party, just because they are fun.

I am asking for your thoughts on a variant of the organization of the
keysigning party. I'll explain my reasoning and intentions, and I would
like to know if you think I forgot to think of something important. Is
there a way a malicious party could get people to sign the wrong UID,
because I didn't think of that way? I'm not interested in ways people
could cheat at the usual "informal" keysigning party model, with
exchanging paper keyslips. This is because this would be my fallback
model, if the proposed model doesn't work out. So I'm only interested in
cases where the proposed model introduces extra issues compared to the
informal exchanging keyslips model.

There are several methods to do a keysigning party. One of them is the
"Sassaman efficient" version. It requires preparation, and this
preparation must be done in time that everybody can print out their copy
of the list. With a congress spanning several days, this means the
preparation should probably be done before the congress, since in
general you shouldn't print your list on a printer you don't completely
trust, and most people don't bring a printer (I did! :).

Now Sassaman efficient has a very big issue. There will always be people
who also wish to attend the keysigning party who did not participate in
the preparations. As far as I can see, these people could just
participate as equals with printed out keyslips to hand out to the other
people. However, I've seen multiple times that these late guests were
treated as second-class participants. I've actually seen them delegated
to the corridor outside the room where the party was held, told to wait
until the others were done! I never got a chance to exchange
fingerprints with these people because of course they left a long time
before the party inside was done. I can't imagine this was a very
pleasant experience for them.

The common denominator of the Sassaman efficient and the informal method
is that you form a line of people that folds in on itself. Now, as I see
it, you can just form a line beginning with the people on the list and
ending with the people who joined late.[1] With the people on the list,
you only check ID's and place a checkmark on your list when satisfied.
Once you get to the part with the late attendants[2], you instead
exchange key slips. I don't see why the people who are not on the list
should not be allowed to be in the same line, yet it is what I've seen
happening.

Anyway, so, Sassaman efficient has a major problem. It also has
advantages. At the bottom line, there is only one advantage I find relevant.

With Sassaman efficient, you actually only have to check one SHA256 hash
and your own fingerprint.

No matter how many attendees, you don't have to check anyone else's
fingerprint manually. Just the two!

This is because you have a SHA256-protected list of fingerprints already
in digital form; no need to compare to printed out digits on paper. All
attendees who participated in the preparation have gotten a text file
which contains all fingerprints of the participants, and they print out
this list as well as compute its checksum. Additionally, they check that
their *own* fingerprint in this list is correct. At the event, the
SHA256 checksum of the text file is read aloud and everybody compares it
to the checksum on their piece of paper. Next, each participant on the
list is asked in turn whether their fingerprint checked out.[3]

After the event, you'll go home and sign keys, using the verified text
file that has the correct SHA256 checksum. Now when you use CA - Fire
and Forget, caff, all you have to check are the UID's you are signing.
The SHA256 checksum has already ascertained that the fingerprints in the
text file are correct; anyone altering a fingerprint will necessarily
alter the checksum of the file. And caff checks the fingerprint for you
from the known-correct file! As long as all participants verified that
their own fingerprint is correct in the file with the correct SHA256
hash, all fingerprints have been verified already.

It will still be *very* important to verify the UID's manually. What if
the official list had a key with fingerprint X and UID
<[hidden email]>, but once you download the key with fingerprint X,
there's instead an UID <[hidden email]>? You need to check that you
only sign UID's carrying Alice's name that you verified from her
passport or similar thing.

I quite like it that I don't have to verify dozens of fingerprints
manually; I'd like to keep the list if possible. So can we improve on
the party where there is a line of both people on the list and people
with keyslips? I think we can.

I think ideally, the participants who only joined after the preparations
should also be able to use the list for the people that are on it, to
put checkmarks and be able to sign without manual fingerprint
verification. But you can't /just/ give them a copy of the list on paper
to trust on, because that printout could have been altered. If they have
a printout with an altered fingerprint, this will confuse them and lead
them down a bad road. But they don't actually need to check the
fingerprint, right? Why print it out then?

First, let me show you a possible participant list for Sassaman
efficient, as produced by gpgparticipants (signing-party package of
Debian). Then let me show what I'd like to alter.

                                    CUT HERE
-----------------------------8<------------------>8-----------------------------

Sunday, December  4, 2016;  12:00
                                               Gyro Gearloose
<[hidden email]>


                   T E S T   H Y B R I D   P A R T Y

                     List of Participants  (v 1.0)


Here's what you have to do with this file:

(1) Print this UTF-8 encoded file to paper.

(2) Compute this file's SHA256 checksum.

      gpg2 --print-md SHA256 ksp-test.txt

(3) Fill in the hash values on the printout.

(4) Bring the printout, a pen, and proof of identity to the key signing
party
    (and be on time!).


SHA256 Checksum: ____ ____   ____ ____   ____ ____   ____ ____

                 ____ ____   ____ ____   ____ ____   ____ ____
   [ ]



001  [ ] Fingerprint OK        [ ] ID OK
pub   rsa2048/35FEAAB2 2011-03-18 [SC] [expired: 2014-08-15]
      Key fingerprint = 7AA6 6193 3AFB F009 D3FF  931D 5A48 8393 35FE AAB2
uid                    Scrooge McDuck <[hidden email]>

_______________________________________________________________________________

002  [ ] Fingerprint OK        [ ] ID OK
pub   rsa2048/17C05EBD 2014-08-13 [SC] [expired: 2015-05-29]
      Key fingerprint = 9BF2 FC98 F2C5 8E7C 2F1A  BBB1 9D39 0555 17C0 5EBD
uid                    Donald Duck <[hidden email]>

_______________________________________________________________________________

003  [ ] Fingerprint OK        [ ] ID OK
pub   rsa1024/503560C4 2014-08-14 [SC] [expired: 2014-08-21]
      Key fingerprint = C956 4F26 D57B 160F 7258  7865 6CBD 1E35 5035 60C4
uid                    Daisy Duck <[hidden email]>

_______________________________________________________________________________

004  [ ] Fingerprint OK        [ ] ID OK
pub   rsa2048/DE500B3E 2009-11-12 [C] [expires: 2017-10-19]
      Key fingerprint = 8FA9 4E79 AD6A B56E E38C  E5CB AC46 EFE6 DE50 0B3E
uid                    Peter Lebbing <[hidden email]>

_______________________________________________________________________________

005  [ ] Fingerprint OK        [ ] ID OK
pub   rsa1024/DCDFDFA4 2012-03-17 [SC] [expires: 2016-12-10]
      Key fingerprint = 8254 72F3 7172 B95A DC73  49BE 98B6 7DE4 DCDF DFA4
uid                    167-671 <[hidden email]>

_______________________________________________________________________________

006  [ ] Fingerprint OK        [ ] ID OK
pub   rsa1024/0E675C27 2016-12-03 [SC] [expires: 2016-12-10]
      Key fingerprint = 9995 E685 2227 CB3F A7D0  D426 B0D4 EDBE 0E67 5C27
uid                    Magica De Spell <[hidden email]>

_______________________________________________________________________________

-----------------------------8<------------------>8-----------------------------
                                    CUT HERE

You can further process this list before printing with gpgsigs, which
will annotate the list with both the checksum and an indication when you
have already signed an UID (this changes the "uid" lines above to the
format as seen in the next bit).

Now I'm proposing to remove all information that does not need to be
manually checked, and give all participants who didn't do the
preparation this scrubbed list. It would look like this:

                                    CUT HERE
-----------------------------8<------------------>8-----------------------------

Sunday, December  4, 2016;  12:00
                                               Gyro Gearloose
<[hidden email]>


                   T E S T   H Y B R I D   P A R T Y

                     List of Participants  (v 1.0)


Here's what you have to do with this file:

(1) Print this UTF-8 encoded file to paper.

(2) Compute this file's SHA256 checksum.

      gpg2 --print-md SHA256 ksp-test.txt

(3) Fill in the hash values on the printout.

(4) Bring the printout, a pen, and proof of identity to the key signing
party
    (and be on time!).


SHA256 Checksum: CEA0 9114   F8AD 5FDD   A0F4 7984   47C8 D1C1

                 3B1F B76B   68AC 3B12   78FE C3EC   E95B 73D8
   [ ]



001  [ ] Fingerprint OK        [ ] ID OK



( ) Scrooge McDuck <[hidden email]>

_______________________________________________________________________________

002  [ ] Fingerprint OK        [ ] ID OK



( ) Donald Duck <[hidden email]>

_______________________________________________________________________________

003  [ ] Fingerprint OK        [ ] ID OK



( ) Daisy Duck <[hidden email]>

_______________________________________________________________________________

004  [ ] Fingerprint OK        [ ] ID OK



( ) Peter Lebbing <[hidden email]>

_______________________________________________________________________________

005  [ ] Fingerprint OK        [ ] ID OK



( ) 167-671 <[hidden email]>

_______________________________________________________________________________

006  [ ] Fingerprint OK        [ ] ID OK



( ) Magica De Spell <[hidden email]>

-----------------------------8<------------------>8-----------------------------
                                    CUT HERE

Now once these people get home, they get the original text file from the
organizer, and verify its checksum using their paper copy. Additionally,
they need to check that the UID's on their paper copy have the same
serial number as the ones in their digital copy. This is an additional
task compared to what the other participants need to do; since the
others printed their own version they *know* the only way UID's could
have been swapped or added is if they did it themselves before printing.

After the late participants have verified the checksum and the
serial<->UID mapping, they can continue as the other people, not
verifying fingerprints because they already verified the SHA256 sum.

The reason for wiping out the parts that aren't checked is so people
will not get confused should they mismatch. If the one doing the
printing was malicious, they could alter fingerprints on the list. This
would entice people to sign the key with that fingerprint, even though
it is the wrong one. You could tell people that they need to ignore this
unverified information and use the official, SHA256-verified digital
list only, but that is asking for trouble. Just remove this unverified
information and be done with it!

So, thank you for reaching the bottom of my mail. What do you think?
Does it work? If not, I'm falling back to the informal model, to remove
the perverse incentive that arises from using Sassaman efficient, the
incentive to treat latecomers as second-class (since my proposal
includes them explicitly in the process, they won't be left out).

Thanks,

Peter.

[1] The only reason I group the list people and the keyslip people is so
you only have to switch exchange method twice; you start out with one
group, halfway switch to the other group, and then later switch back to
the first group. The people at the very beginning and end of the line
only switch once.

[2] Well, late as in not early. Let's hope they're not deceased by then ;-P.

[3] There will be an issue here if the checksum did not check out for
someone; the organizer should make clear that once your checksum is
wrong, you should stop using that mangled version at once.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Stephan Beck


Peter Lebbing:
> Hi all,
>
> In just a few weeks, the 33C3 will be held in Hamburg, the 33th Chaos
> Communication Congress organized by the Chaos Computer Club. I intend to
> organize a keysigning party, just because they are fun.
>
> I am asking for your thoughts on a variant of the organization of the
> keysigning party.

...
Doesn't your proposal imply that late attendees could
make their way through all the keysigning without fingerprint
verification? Or do I miss something?

Cheers

Stephan


Thank you in any case for your detailed information, that encouraged me
to install the keysigning package and have a look into it. It seems to
be a great tool for organizing a key-signing event!



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

0x4218732B.asc (4K) Download Attachment
0x4218732B.asc (4K) Download Attachment
0x4218732B.asc (4K) Download Attachment
signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Lachlan Gunn
Le 2016-12-08 à 08:14, Stephan Beck a écrit :
> Doesn't your proposal imply that late attendees could
> make their way through all the keysigning without fingerprint
> verification? Or do I miss something?

If I understand correctly, the late attendees still get a copy of the
fingerprints after the fact, they just don't have it on their sheet of
paper.  The fingerprint-less piece of paper just lets them keep a record
of who they have verified, and gives them a hash of the list that does
have the fingerprints, which they can compare with the people who were
ready beforehand (to make sure that the fingerprints have been verified
by the identity holders).

I've actually thought of doing an electronic keyslip program for mobile
phones/tablets that would let you build the list electronically using QR
codes or NFC, or maybe doing it via the hash-on-the-projector method for
maximum speed.  Then you could just download the file to your signing
machine and let CAFF do its thing.

Would this interest anyone?  Does the idea have flaws that I'm blind to?

Thanks,
Lachlan


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Recording keysigning attendants on phone (was: Hybrid keysigning party, your opinion?)

Peter Lebbing
On 08/12/16 07:29, Lachlan Gunn wrote:
> If I understand correctly, the late attendees still get a copy of the
> fingerprints after the fact, they just don't have it on their sheet of
> paper.  The fingerprint-less piece of paper just lets them keep a record
> of who they have verified, and gives them a hash of the list that does
> have the fingerprints, which they can compare with the people who were
> ready beforehand (to make sure that the fingerprints have been verified
> by the identity holders).

Yes, that is spot on what I had in mind. What do you think?

> Does the idea have flaws that I'm blind to?

I can't say as to your perception, but all these "verify at the party, sign
after the party" share the problem that the list could be modified in the time
between verifying and signing.

Somebody could picpocket your list, add checkmarks with the same type of pen you
used, and then sneak it back into your possession. That's a physical act that
requires an intimate level of proximity.

A phone or tablet is a wirelessly connected device that could be hacked from a
distance, and it could be done even before the keysigning.

I'd say the latter is in principle more vulnerable; but it depends on your
threat model. If, for instance, you've already concluded that you want to have
your primary key on the same phone or tablet, it doesn't matter anymore if you
then also keep this party list on there.

For the sake of my sanity and the fact that I'll need to make the decision about
the 33C3 keysigning soon, let's please not mingle these subthreads. If you reply
to my "What do you think?", I'd suggest re-instating the previous Subject:-line :-).

Thank you!

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Peter Lebbing
In reply to this post by Stephan Beck
Stephan and Lachlan, thank you for thinking about this! I need to make a
decision soon, I really need feedback!

On 07/12/16 22:44, Stephan Beck wrote:
> Doesn't your proposal imply that late attendees could
> make their way through all the keysigning without fingerprint
> verification? Or do I miss something?

The normal attendees also don't do any fingerprint verification *at the party*.
At home, before the party, they checked their own fingerprint, and generated the
SHA256 checksum for the file they got. At the party, everybody together checks
the SHA256 checksum by simply reading aloud each and every digit.

> Thank you in any case for your detailed information, that encouraged me
> to install the keysigning package and have a look into it. It seems to
> be a great tool for organizing a key-signing event!

It is :-)

I wouldn't say my information is detailed actually, I could write a *lot* more
about proper procedure. But I hoped I didn't have to, instead just focussing on
what I wanted to do *differently* from usual.

Cheers,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Stephan Beck
In reply to this post by Lachlan Gunn
Hi,

Lachlan Gunn:

> Le 2016-12-08 à 08:14, Stephan Beck a écrit :
>> Doesn't your proposal imply that late attendees could
>> make their way through all the keysigning without fingerprint
>> verification? Or do I miss something?
>
> If I understand correctly, the late attendees still get a copy of the
> fingerprints after the fact, they just don't have it on their sheet of
> paper.  The fingerprint-less piece of paper just lets them keep a record
> of who they have verified, and gives them a hash of the list that does
> have the fingerprints, which they can compare with the people who were
> ready beforehand (to make sure that the fingerprints have been verified
> by the identity holders).
yes, they still get the original file from the organizer afterwards,
that's true.

caff automatically checks the fingerprint on import (before mailing out
each of the signed keys/UID), so there's no way of tampering. If they
hadn't those fingerprints (or the original file/list), caff would not
let them go on.

Quote from README.many-keys

$ caff <options> <ksp-annotated.txt

caff will ignore participants for which both the "ID" and
  "Fingerprint" checkboxes are not *both* marked with an 'x'.
  (Moreover, keys are selected using their 40-hex digits fingerprint,
  which must be present in the list.)

Nevertheless, they can go through all the key-signing (event) without
directly verifying fingerprints (although they do have sufficient
cryptographic or computational evidence via checksum that others have
indeed done so); even though I don't see any way of cheating, in Peter's
proposal, I find that this aspect is remarkable.
More remarkable, however, is the fact that he tries to include people
that on other occasions are being treated as second-class participants.
If I could be there I'd really like to participate and help (no "angels"
needed, Peter? Tickets are sold out! ;-)
>
> I've actually thought of doing an electronic keyslip program for mobile
> phones/tablets that would let you build the list electronically using QR
> codes or NFC, or maybe doing it via the hash-on-the-projector method for
> maximum speed.  Then you could just download the file to your signing
> machine and let CAFF do its thing.
>
> Would this interest anyone?  Does the idea have flaws that I'm blind to?

Yes, to your first question. How you would do that via the
hash-on-the-projector method, is not clear to me, though. Would that be
for generating the (initial) list of the organizers as in Sassaman
Efficient (as an additional service for people using cell phones or
tablets)? Or wouldn't there be any paper copy at the event?
Sorry, for questions that might seem obvious to you.

Thanks

Stephan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

0x4218732B.asc (4K) Download Attachment
signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Stephan Beck
In reply to this post by Peter Lebbing


Peter Lebbing:

> Stephan and Lachlan, thank you for thinking about this! I need to make a
> decision soon, I really need feedback!
>
> On 07/12/16 22:44, Stephan Beck wrote:
>> Doesn't your proposal imply that late attendees could
>> make their way through all the keysigning without fingerprint
>> verification? Or do I miss something?
>
> The normal attendees also don't do any fingerprint verification *at the party*.
> At home, before the party, they checked their own fingerprint, and generated the
> SHA256 checksum for the file they got. At the party, everybody together checks
> the SHA256 checksum by simply reading aloud each and every digit.
Yes, Peter, but they are the "ordinary" participants who went through
the preparation, and then state (at the event) that the checksum is
{checksum} and that the corresponding fingerprint on the list is theirs
and that it is correct ("check out"). The others (late attendees) just
hand out their keyslip (keyslip is just an "unverified statement"),
receive the keyslip from the other, together with the fingerprint-less
list they have, and postpone the verification to the moment when they
are at home and have been sent the list from the organizer. By that
time, the other ("Sassaman's Efficient ordinary participants") can
already be sure of the integrity/authenticity of the messages of their
communication partners and that partner's true identity.

Just some meditations:

So, the late attendees can see and hear that the ordinary participants
confirm the checksum and that their fingerprints check out?
One that was on the list and didn't show up would not get the required
marks on () fpr () id ? Would that person be (as uid-serial number, 001,
002, 003...) on the attendee's fingerprint-less list? But that person
definitely would not end up as a person being included in the final
list? That might produce inconsistencies in numbering. So the final list
just would not include some serial numbers that once were on the
"initial" list or the fingerprint-less list? Then, by checking serial
numbers, as you say, it's ok :-)

Cheers

Stephan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

0x4218732B.asc (4K) Download Attachment
signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Peter Lebbing
On 08/12/16 14:14, Stephan Beck wrote:
> Just some meditations:
>
> So, the late attendees can see and hear that the ordinary participants
> confirm the checksum and that their fingerprints check out?

Yes, the late attendees definitely need to be there at the beginning of the
party, verifying that the SHA256 checksum printed at the top of their scrubbed
list is the one being read aloud and hearing everybody confirm their fingerprint
is correct.

> One that was on the list and didn't show up would not get the required marks
> on () fpr () id ?

Correct, I actually cross out the full entry with my pen, but it would suffice
not to put a check mark on Fingerprint. A check mark on ID is totally out of the
question, that check mark indicates you have verified their identity!

> Would that person be (as uid-serial number, 001, 002, 003...) on the
> attendee's fingerprint-less list? But that person definitely would not end up
> as a person being included in the final list?

The list is *immutable*. It is finished before the event even starts, and has a
known SHA256 checksum.

People are not added to or removed from the list.

Late participants get the original list as it was sent to the early registrants,
with the precise, known SHA256 list.

After someone has verified they at least received the correct list
electronically, they're free to change whatever they like on the list for
themselves, *but not to send on to others*. It is vitally important that wat is
sent to people is the original list with the correct SHA256 checksum. And if
somebody is unable to get a list with the correct SHA256 checksum, they have
wasted their time with verifying the people on the list. But this would be an
odd situation: nobody is able to send them an unmodified file? I'd worry about
my computer and my internet connection then, not the time lost during the
keysigning.

> Then, by checking serial numbers, as you say, it's ok :-)

Checking serial numbers <-> UID mappings is /purely/ to catch out dishonesty on
the part of the person who printed the scrubbed lists for the late attendees. It
is not to account for changes in who was present and stuff like that.

Of course I'll provide the lists, so I for myself know they will be okay.
However, the other people would just have my word for it, and that is wholly
insufficient.

Cheers,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Lachlan Gunn
Le 2016-12-09 à 00:25, Peter Lebbing a écrit :
> Yes, the late attendees definitely need to be there at the beginning of the
> party, verifying that the SHA256 checksum printed at the top of their scrubbed
> list is the one being read aloud and hearing everybody confirm their fingerprint
> is correct.

Can't they get this from the other participants in the line?  Checking
with a few people at random gives reasonable assurance that this is what
was agreed on at the beginning, or they can check them all if they want
to be certain.

Thanks,
Lachlan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Lachlan Gunn
In reply to this post by Peter Lebbing
Le 2016-12-08 à 22:05, Peter Lebbing a écrit :
> Stephan and Lachlan, thank you for thinking about this! I need to make a
> decision soon, I really need feedback!

Not a problem, efficient keysigning is something I've been pondering for
a while, so I'm really glad to see people working in the area.

> I wouldn't say my information is detailed actually, I could write a *lot* more
> about proper procedure. But I hoped I didn't have to, instead just focussing on
> what I wanted to do *differently* from usual.

Personally I am of the mind that anything longer than that email is
wishful thinking, you have to get people to actually follow it.  The
ones who need to do it are also only the ones who weren't organised in
advance, so I think keep the extra work to a minimum if you want to
maximise the useful signatures from them.

To this end, another suggestion is to make the forms that they fill in
identical, whether or not they are late.  You could do this by putting
the fingerprints at the end of the primary document and just printing
out the first bit for latecomers.  This might save some "I don't know
how your form works, I have the prearranged one" on the day.

It's late here now, but I'll try to have a look over the weekend to see
if there are any missed opportunities for automation.

Thanks,
Lachlan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Stephan Beck
In reply to this post by Peter Lebbing


Peter Lebbing:

> On 08/12/16 14:14, Stephan Beck wrote:
>> Just some meditations:
>>
>> So, the late attendees can see and hear that the ordinary participants
>> confirm the checksum and that their fingerprints check out?
>
> Yes, the late attendees definitely need to be there at the beginning of the
> party, verifying that the SHA256 checksum printed at the top of their scrubbed
> list is the one being read aloud and hearing everybody confirm their fingerprint
> is correct.
[...]

Thanks, Peter. No more open questions!
As with everything, I think I'd have to set up such an event and go
through its practical application (or participate in one) to become more
expert. Let me see if there are any in my region.

Stephan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

0x4218732B.asc (4K) Download Attachment
signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Peter Lebbing
In reply to this post by Lachlan Gunn
On 08/12/16 14:51, Lachlan Gunn wrote:
> Personally I am of the mind that anything longer than that email is
> wishful thinking, you have to get people to actually follow it.

The e-mail wasn't meant to be the text for participants. I've spent all
afternoon writing a text at the 33C3 wiki[1], but only part of it is
meant to be read by everyone, or essentially, everyone who wants to know
more than the most basic. It's 1764 words. I've tried to restrict it to
the important things, and I feel that cutting it further down would lose
important information. I don't think it's necessary for everyone to read
the whole section, though.

My e-mail was 1424 words though, so I am afraid I ended up in your
wishful thinking area.

The remaining 1607 words are in the sections "Background" and "Option
for advanced users", and those words happen to include the name Lachlan.
Go check it out! ;-P

> To this end, another suggestion is to make the forms that they fill in
> identical, whether or not they are late.  You could do this by putting
> the fingerprints at the end of the primary document and just printing
> out the first bit for latecomers.  This might save some "I don't know
> how your form works, I have the prearranged one" on the day.

I really like this suggestion! I had to think about it for a while
before I could see a way to make it work. The trouble is that I want
caff to be able to process the file, and for that I need to keep it
having much of the same patterns. I ended up not significantly altering
the two files compared to what I proposed, but instead suggesting
everybody should use the scrubbed version. That way, the instructions
are the same for all participants.

Thank you,

Peter.

[1] https://events.ccc.de/congress/2016/wiki/Session:Keysigning_party

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Peter Lebbing
In reply to this post by Lachlan Gunn
On 08/12/16 15:08, Lachlan Gunn wrote:
> Can't they get this from the other participants in the line?  Checking
> with a few people at random gives reasonable assurance that this is what
> was agreed on at the beginning, or they can check them all if they want
> to be certain.

Personally, I find checking a few other participants to be too weak an
assurance. I don't believe in security by numbers. If I'm dealing with
statistics, I want them to be on the order of "chance of one in 2^127".
You might recognise the chosen quantity :-). But everybody is free to
decide their own policy.

And checking at everyone would hold up the process; it's 64 hex digits
to verify!

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Peter Lebbing
On 11/12/16 18:22, Peter Lebbing wrote:
> You might recognise the chosen quantity :-).

Or you might not because it was based on a stupid thinking error on my
side. Let's make it "a chance of 1 in 2^128", which could be the chance
of you trying a symmetric encryption key and actually being right about it.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Robert J. Hansen-3
> Or you might not because it was based on a stupid thinking error on my
> side. Let's make it "a chance of 1 in 2^128", which could be the chance
> of you trying a symmetric encryption key and actually being right about it.

I'm glad you made the correction: that error was sooooo profound.  :)


(For those not up on their large-number theory: the difference is
insignificant.  Peter's correction was made in a spirit of utterly
pedantic attention to detail [a spirit I share!], not because it mattered.)

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

(OT) Hybrid keysigning party, your opinion?

Peter Lebbing
On 11/12/16 21:37, Robert J. Hansen wrote:
> Peter's correction was made in a spirit of utterly pedantic attention
> to detail [a spirit I share!]

Hah! Guilty as charged :-).

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Recording keysigning attendants on phone (was: Hybrid keysigning party, your opinion?)

Lachlan Gunn
In reply to this post by Stephan Beck
Le 2016-12-08 à 22:30, Stephan Beck a écrit :
> Yes, to your first question. How you would do that via the
> hash-on-the-projector method, is not clear to me, though. Would that be
> for generating the (initial) list of the organizers as in Sassaman
> Efficient (as an additional service for people using cell phones or
> tablets)? Or wouldn't there be any paper copy at the event?
> Sorry, for questions that might seem obvious to you.

Yes, sorry.  There wouldn't be any paper copy, which might be a problem,
unless you have a printer available to produce printed copies on demand
which can be checked later.

The idea is to allow people to add themselves to the list right up until
the last minute, then someone cuts the ribbon, the system emails it to
everyone and displays it on the projector, and they all follow either
the standard Sassaman method or Peter's hybrid one.

Thanks,
Lachlan


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Lachlan Gunn
In reply to this post by Peter Lebbing
Le 2016-12-12 à 03:45, Peter Lebbing a écrit :
> I really like this suggestion! I had to think about it for a while
> before I could see a way to make it work. The trouble is that I want
> caff to be able to process the file, and for that I need to keep it
> having much of the same patterns. I ended up not significantly altering
> the two files compared to what I proposed, but instead suggesting
> everybody should use the scrubbed version. That way, the instructions
> are the same for all participants.

Also, while I promised to forever hold my peace, you might want to give
people a a programmatic way to make the scrubbed list so that those who
print their own don't need to manually verify it.  This might add too
much complexity, so I don't know whether it is worthwhile.

Something like

    sed -re '/^(pub|\s+Key fingerprint).*$/d' <main.txt >scrubbed.txt

is easy enough to verify by eye as not being a trick.  The //d (rather
than s///) is important because unless it makes the list shorter, there
isn't any incentive to go to the trouble :)

Thanks,
Lachlan


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hybrid keysigning party, your opinion?

Lachlan Gunn
In reply to this post by Peter Lebbing
Le 2016-12-12 à 03:45, Peter Lebbing a écrit :
> My e-mail was 1424 words though, so I am afraid I ended up in your
> wishful thinking area.
>
> The remaining 1607 words are in the sections "Background" and "Option
> for advanced users", and those words happen to include the name Lachlan.
> Go check it out! ;-P

My apologies if I came across as overly harsh.  What I meant was that it
took me a little bit of time to work out exactly what you meant, so
someone unfamilar with the web of trust will probably not follow
exactly; it may just have been that I went through your email too late
at night. Something along the lines of the following might make it more
clear to everyone who is familiar with the hashed-list approach:

    Those who are in the advance list are certified in the usual way,
    and latecomers hand out keyslips in order to get themselves
    certified.

    If you are late you need to check when you get home
    that the names and serial numbers on the form that we gave
    out match those on the one whose hash is on the projector.

But this is just me nitpicking about presentation.  I think the idea is
good, and falls into that wonderful category of things that are obvious
in retrospect, but in need of someone clever to make the breakthrough
without the benefit of hindsight.

One last thought: This may be naïvely optimistic, but if everyone
finishes at the same time then you can always do a second confirmation
of the list-hash at the end for people who are late to the session.  Or
if you're into arts and crafts, give them a copy of the master hash on
overhead transparency that they can use to very quickly check against
someone else's.

Thanks,
Lachlan


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Recording keysigning attendants on phone

Stephan Beck
In reply to this post by Lachlan Gunn


Lachlan Gunn:

> Le 2016-12-08 à 22:30, Stephan Beck a écrit :
>> Yes, to your first question. How you would do that via the
>> hash-on-the-projector method, is not clear to me, though. Would that be
>> for generating the (initial) list of the organizers as in Sassaman
>> Efficient (as an additional service for people using cell phones or
>> tablets)? Or wouldn't there be any paper copy at the event?
>> Sorry, for questions that might seem obvious to you.
>
> Yes, sorry.  There wouldn't be any paper copy, which might be a problem,
> unless you have a printer available to produce printed copies on demand
> which can be checked later.
>
> The idea is to allow people to add themselves to the list right up until
> the last minute, then someone cuts the ribbon, the system emails it to
> everyone and displays it on the projector, and they all follow either
> the standard Sassaman method or Peter's hybrid one.
Thanks for the explanation, Lachlan. Ok, I see, preparations (required
in the Sassaman Efficient keysigning event model), in your scheme, are
done electronically right before the event starts, are they?
Well, that may be fine for many people.
Don't ask me why, but, personally, I'd always prefer an additional paper
copy as a security measure.

Cheers

Stephan





_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (465 bytes) Download Attachment
12
Loading...