Web of Trust

From Noisebridge
Revision as of 16:11, 9 November 2016 by Lizzie (talk | contribs)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Noisebridge Web of Trust

Some of us were thinking it would be useful to have an informal noisebridge web of trust.

Here's how the GPG web of trust works:

  • You want to send a message to Alice.
  • You download the alice@example.com keys from a public keyserver. This key may not belong to the real Alice!
  • If three or more people you trust, either directly or transitively, have signed the alice@example.com key, your GPG client will tell you that.
  • Finally, you can send an email to Alice, with some assurance that you have the right key.

Noisebridge can help the following ways:

  • Finding Alice's email address, if you don't already have it.
  • Providing a convenient venue for you to meet three or more people who may know people who know Alice.

For now, we'd like to get more people to sign each others' keys at Noisebridge. In the future, it may be useful to build tools to visualize islands and the noisebridge "strong set", the largest set of noisebridge people who mutually trust each other. Once that set of people is clear, you can join it by finding three or more people who belong to it who are willing to sign your key, and we can strategically bridge islands to join the largest group of people together.

Clear instructions

TODO

Caveats

  • Don't trust signatures you find on the noisebridge wiki.
  • Don't trust 32-bit or 64-bit short ids. They can be easily faked. See https://evil32.com/

chat log

so what's the action coming out, are we going to have an nb-wot?

was just about to say the same thing

yes

Does anyone know if there's any facilities in GPG for enabling this or should we just keep a public list?

the normal keyservers will do

i think x is taking charge on his idea of these classes to use and supplement the EFF docs he linked: https://ssd.eff.org/ 

ssd.eff.org

Surveillance Self-Defense Tips, Tools and How-tos for Safer Online Communications

we just need a critical mass of people with 3 marginally-trusted signatures

The tricky thing is that we want to communicate other information once we've bootstrapped GPG-trust

if anyone's in the space right now, I'm sitting on the couch by the window. let's sign.

Like signal info, etc.

how long are you going to be there?

I'll be there in a few hours

a few hours probably

I mean, I might get off the couch

I don’t plan to get into PGP at the workshop. I’m going to share the Willie Brown catchphrase “the e- in e-mail stands for evidence” and encourage people basically not to write too much sensitive stuff in email, and if they do, to delete the email afterwards rather than storing it in an encrypted form.

I should get off my couch too

It would have been much better for the DNC to regularly delete all their emails rather than try to learn PGP.

I think tor, tails, etc can be useful without any special knowledge though

Deleting emails works! It’s a trusted strategy used by mayors and governors nationwide.

mayors and governors who are at no serious risk of being under wiretap

without a prior corruption investigation

Oh yeah: Tor, Signal, installing updates, 2FA, Tails in some cases, maybe Onionshare, that kind of stuff.

this is getting wiki sized

Name Fingerprint 64-bit KeyID Key Location
Zephyr <zv@nxvr.org> 9358 C8BD AAD9 A62B B08B 9660 F6F2 D044 5DC1 72F8 0xF6F2D0445DC172F8 keybase.io/zetavolt/key.asc
Test Test Test Test
Retrieved from "https://www.noisebridge.net/index.php?title=Web_of_Trust&oldid=55008"