[ale] PGP/GPG Keysigning party! ALE Central November 19th.

Greg Freemyer greg.freemyer at gmail.com
Wed Oct 28 11:37:53 EDT 2009


On Wed, Oct 28, 2009 at 10:57 AM, Michael B. Trausch
<mbt at zest.trausch.us> wrote:
> On Wed, 2009-10-28 at 10:41 -0400, Jim Lynch wrote:
>> I for one would like to know exactly what this activity is good for.
>> I
>>  understand that one of the uses of these keys is to be sure an email
>>   is from who you think it is.  Exactly what activities are you guys
>>   involved in that require that level of security?  Obviously you are
>>   doing something other than sending responses to the various
>>   questions/issue on this list.
>>
>> I'm not criticizing, just very puzzled 'cause I have no real idea of a
>>  practical use for this level of security.
>>
>> Thanks for the enlightenment.
>
> GPG signatures are good for the case where you want to see if the
> message was altered in transit.  However, where they really shine is
> encrypted communications.  Everything you write on the Internet and send
> by way of HTTP (not HTTPS) and email (which is inherently insecure) is
> sent in plain old, very readable and modifiable text.
>
> Here's an example.
>
> Imagine that you're writing to a friend to tell her what you're getting
> for various members of her family.  Now, imagine that I am her husband,
> and I control that network, and that I am a nosy bastard.  Your message
> is probably screened through some program and I see it and read it.  I
> can also modify it; she'll never know.
>
> Imagine the same situation, but instead, I work for her ISP and am not
> her husband.  I can see the message as it passes through my network,
> optionally logging it and reading it later should I choose to do so.  In
> fact, I have no reason to believe that ISPs don't already do this with
> unencrypted communications.  After all, they're the prime points of
> interception on this great big network.  They can intercept, modify, and
> then deliver the message---without detection.
>
> Now, imagine that I am the President.  (That ought to be good for a
> laugh.)  I sign an Executive Order compelling some random other entity
> or person in the government to begin collecting and analyzing all
> plaintext traffic on the Internet and logging it and attributing it to
> those who wrote it, watching for bad behavior and being the Big Brother
> we all don't want to have power.  (They already do some form of this
> already, actually, or at least they did.)  If it becomes convenient they
> can compel an ISP to cooperate and intercept messages so that the
> government can modify them and send the modified versions to their
> recipients.  If messages carry OpenPGP signatures, this is not possible
> (well, not likely*) and the government cannot insert itself into the
> dialogue.  With encryption, the government cannot even see what is being
> said.  Same goes for the ISP, or that pesky nosy neighbor that is on the
> same cable network as you are and is snooping around the node for
> anything that looks to be "interesting".
>
>        --- Mike

I get all of the above by pulling your public key from a key server
and using pgp.

The purpose of a signing party is to allow me to have confidence that
the "Michael B. Trausch" whom is part of ALE is the same person that
has a key on the key server.

Like Jim, I'm not sure I need that for very many of the ALE'ers.

And for the few I might need that for I can call them and say, "I
pulled your public key from the key server, can you send me a pgp
encrypted email so I can verify the public key I have is actually
yours".

So, my question is not "What is pgp good for?".  My question is "What
is a key signing party good for?"

Thanks
Greg



More information about the Ale mailing list