Web of Trust: Difference between revisions
No edit summary |
No edit summary |
||
| (5 intermediate revisions by 2 users not shown) | |||
| Line 15: | Line 15: | ||
* Providing a convenient venue for you to meet three or more people who may know people who know Alice. | * Providing a convenient venue for you to meet three or more people who may know people who know Alice. | ||
For now, we'd like to get more people to sign each others' keys at Noisebridge. In the future, it may be useful to build tools to visualize islands and the noisebridge "strong set", the largest set of noisebridge people who mutually trust each other. Once that set of people is clear, you can join it by finding three or more people who belong to it who are willing to sign your key, and we can strategically bridge islands to join the largest group of people together. | |||
== Clear instructions == | |||
signing someone's key! | |||
+ get their key from a keyserver | |||
gpg --search-keys '<alice@example.com>' | |||
+ You and Alice both do the follwing the long string of hex (the fingerprint). It's often convenient to read them out loud. | |||
gpg --fingerprint '<alice@example.com>' | |||
+ Once you're convinced Alice is Alice, | |||
gpg --sign-key '<alice@example.com>' | |||
+ Give Alice marginal trust, so that people who Alice and two other marginally-trusted people trust are transitively trusted by you: | |||
gpg --edit-key '<alice@example.com>' | |||
... | |||
gpg> trust | |||
... | |||
Please decide how far you trust this user to correctly verify other users' keys | |||
(by looking at passports, checking fingerprints from different sources, etc.) | |||
1 = I don't know or won't say | |||
2 = I do NOT trust | |||
3 = I trust marginally | |||
4 = I trust fully | |||
5 = I trust ultimately | |||
m = back to the main menu | |||
Your decision? 2 | |||
+ Upload your signature to the keyserver | |||
gpg --send-key "$alice_fingerprint" | |||
(there might be somthing easier just by using --edit-key, I haven't worked through it yet -l) | |||
== Caveats == | |||
* Don't trust signatures you find on the noisebridge wiki. | |||
* Don't trust 32-bit or 64-bit short ids. They can be easily faked. See https://evil32.com/ | |||
== chat log == | == chat log == | ||
| Line 71: | Line 116: | ||
! scope="col"| Name | ! scope="col"| Name | ||
! scope="col"| Fingerprint | ! scope="col"| Fingerprint | ||
! scope="col"| Key Location | ! scope="col"| Key Location | ||
|- | |- | ||
! scope="row"| Zephyr <zv@nxvr.org> | ! scope="row"| Zephyr <zv@nxvr.org> | ||
| 9358 C8BD AAD9 A62B B08B 9660 F6F2 D044 5DC1 72F8 | | 9358 C8BD AAD9 A62B B08B 9660 F6F2 D044 5DC1 72F8 | ||
| | | https://keybase.io/zetavolt/key.asc | ||
| | | | ||
|- | |- | ||
! scope="row"| | ! scope="row"| cowlicks <cowlicks@riseup.net> | ||
| | | D3A4 A167 C186 4747 8645 73F1 39E3 7237 0D7A A999 | ||
| | | https://keybase.io/cowlicks/key.asc | ||
| | | | ||
|} | |} | ||
Latest revision as of 18:32, 9 November 2016
Noisebridge Web of Trust[edit]
Some of us were thinking it would be useful to have an informal noisebridge web of trust.
Here's how the GPG web of trust works:
- You want to send a message to Alice.
- You download the alice@example.com keys from a public keyserver. This key may not belong to the real Alice!
- If three or more people you trust, either directly or transitively, have signed the alice@example.com key, your GPG client will tell you that.
- Finally, you can send an email to Alice, with some assurance that you have the right key.
Noisebridge can help the following ways:
- Finding Alice's email address, if you don't already have it.
- Providing a convenient venue for you to meet three or more people who may know people who know Alice.
For now, we'd like to get more people to sign each others' keys at Noisebridge. In the future, it may be useful to build tools to visualize islands and the noisebridge "strong set", the largest set of noisebridge people who mutually trust each other. Once that set of people is clear, you can join it by finding three or more people who belong to it who are willing to sign your key, and we can strategically bridge islands to join the largest group of people together.
Clear instructions[edit]
signing someone's key!
+ get their key from a keyserver
gpg --search-keys '<alice@example.com>'
+ You and Alice both do the follwing the long string of hex (the fingerprint). It's often convenient to read them out loud.
gpg --fingerprint '<alice@example.com>'
+ Once you're convinced Alice is Alice,
gpg --sign-key '<alice@example.com>'
+ Give Alice marginal trust, so that people who Alice and two other marginally-trusted people trust are transitively trusted by you:
gpg --edit-key '<alice@example.com>' ... gpg> trust ... Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 2
+ Upload your signature to the keyserver
gpg --send-key "$alice_fingerprint"
(there might be somthing easier just by using --edit-key, I haven't worked through it yet -l)
Caveats[edit]
- Don't trust signatures you find on the noisebridge wiki.
- Don't trust 32-bit or 64-bit short ids. They can be easily faked. See https://evil32.com/
chat log[edit]
so what's the action coming out, are we going to have an nb-wot?
was just about to say the same thing
yes
Does anyone know if there's any facilities in GPG for enabling this or should we just keep a public list?
the normal keyservers will do
i think x is taking charge on his idea of these classes to use and supplement the EFF docs he linked: https://ssd.eff.org/
ssd.eff.org
Surveillance Self-Defense Tips, Tools and How-tos for Safer Online Communications
we just need a critical mass of people with 3 marginally-trusted signatures
The tricky thing is that we want to communicate other information once we've bootstrapped GPG-trust
if anyone's in the space right now, I'm sitting on the couch by the window. let's sign.
Like signal info, etc.
how long are you going to be there?
I'll be there in a few hours
a few hours probably
I mean, I might get off the couch
I don’t plan to get into PGP at the workshop. I’m going to share the Willie Brown catchphrase “the e- in e-mail stands for evidence” and encourage people basically not to write too much sensitive stuff in email, and if they do, to delete the email afterwards rather than storing it in an encrypted form.
I should get off my couch too
It would have been much better for the DNC to regularly delete all their emails rather than try to learn PGP.
I think tor, tails, etc can be useful without any special knowledge though
Deleting emails works! It’s a trusted strategy used by mayors and governors nationwide.
mayors and governors who are at no serious risk of being under wiretap
without a prior corruption investigation
Oh yeah: Tor, Signal, installing updates, 2FA, Tails in some cases, maybe Onionshare, that kind of stuff.
this is getting wiki sized
| Name | Fingerprint | Key Location | |
|---|---|---|---|
| Zephyr <zv@nxvr.org> | 9358 C8BD AAD9 A62B B08B 9660 F6F2 D044 5DC1 72F8 | https://keybase.io/zetavolt/key.asc | |
| cowlicks <cowlicks@riseup.net> | D3A4 A167 C186 4747 8645 73F1 39E3 7237 0D7A A999 | https://keybase.io/cowlicks/key.asc |