Web of Trust
Noisebridge Web of Trust
Some of us were thinking it would be useful to have an informal noisebridge web of trust.
Here's how the GPG web of trust works:
- You want to send a message to Alice.
- You download the email@example.com keys from a public keyserver. This key may not belong to the real Alice!
- If three or more people you trust, either directly or transitively, have signed the firstname.lastname@example.org key, your GPG client will tell you that.
- Finally, you can send an email to Alice, with some assurance that you have the right key.
Noisebridge can help the following ways:
- Finding Alice's email address, if you don't already have it.
- Providing a convenient venue for you to meet three or more people who may know people who know Alice.
For now, we'd like to get more people to sign each others' keys at Noisebridge. In the future, it may be useful to build tools to visualize islands and the noisebridge "strong set", the largest set of noisebridge people who mutually trust each other. Once that set of people is clear, you can join it by finding three or more people who belong to it who are willing to sign your key.
- Don't trust signatures you find on the noisebridge wiki.
- Don't trust 32-bit or 64-bit short ids. They can be easily faked. See https://evil32.com/
so what's the action coming out, are we going to have an nb-wot?
was just about to say the same thing
Does anyone know if there's any facilities in GPG for enabling this or should we just keep a public list?
the normal keyservers will do
i think x is taking charge on his idea of these classes to use and supplement the EFF docs he linked: https://ssd.eff.org/
Surveillance Self-Defense Tips, Tools and How-tos for Safer Online Communications
we just need a critical mass of people with 3 marginally-trusted signatures
The tricky thing is that we want to communicate other information once we've bootstrapped GPG-trust
if anyone's in the space right now, I'm sitting on the couch by the window. let's sign.
Like signal info, etc.
how long are you going to be there?
I'll be there in a few hours
a few hours probably
I mean, I might get off the couch
I don’t plan to get into PGP at the workshop. I’m going to share the Willie Brown catchphrase “the e- in e-mail stands for evidence” and encourage people basically not to write too much sensitive stuff in email, and if they do, to delete the email afterwards rather than storing it in an encrypted form.
I should get off my couch too
It would have been much better for the DNC to regularly delete all their emails rather than try to learn PGP.
I think tor, tails, etc can be useful without any special knowledge though
Deleting emails works! It’s a trusted strategy used by mayors and governors nationwide.
mayors and governors who are at no serious risk of being under wiretap
without a prior corruption investigation
Oh yeah: Tor, Signal, installing updates, 2FA, Tails in some cases, maybe Onionshare, that kind of stuff.
this is getting wiki sized
|Name||Fingerprint||64-bit KeyID||Key Location|
|Zephyr <email@example.com>||9358 C8BD AAD9 A62B B08B 9660 F6F2 D044 5DC1 72F8||0xF6F2D0445DC172F8||keybase.io/zetavolt/key.asc|