Web of Trust

From Noisebridge
Jump to: navigation, search

Noisebridge Web of Trust[edit]

Some of us were thinking it would be useful to have an informal noisebridge web of trust.

Here's how the GPG web of trust works:

  • You want to send a message to Alice.
  • You download the alice@example.com keys from a public keyserver. This key may not belong to the real Alice!
  • If three or more people you trust, either directly or transitively, have signed the alice@example.com key, your GPG client will tell you that.
  • Finally, you can send an email to Alice, with some assurance that you have the right key.

Noisebridge can help the following ways:

  • Finding Alice's email address, if you don't already have it.
  • Providing a convenient venue for you to meet three or more people who may know people who know Alice.

For now, we'd like to get more people to sign each others' keys at Noisebridge. In the future, it may be useful to build tools to visualize islands and the noisebridge "strong set", the largest set of noisebridge people who mutually trust each other. Once that set of people is clear, you can join it by finding three or more people who belong to it who are willing to sign your key, and we can strategically bridge islands to join the largest group of people together.

Clear instructions[edit]

signing someone's key!

+ get their key from a keyserver

 gpg --search-keys '<alice@example.com>'

+ You and Alice both do the follwing the long string of hex (the fingerprint). It's often convenient to read them out loud.

 gpg --fingerprint '<alice@example.com>'

+ Once you're convinced Alice is Alice,

  gpg --sign-key '<alice@example.com>'

+ Give Alice marginal trust, so that people who Alice and two other marginally-trusted people trust are transitively trusted by you:

 gpg --edit-key '<alice@example.com>'
 ...  
 gpg> trust
 ...
 Please decide how far you trust this user to correctly verify other users' keys
 (by looking at passports, checking fingerprints from different sources, etc.)
   1 = I don't know or won't say
   2 = I do NOT trust
   3 = I trust marginally
   4 = I trust fully
   5 = I trust ultimately
   m = back to the main menu
 Your decision? 2

+ Upload your signature to the keyserver

 gpg --send-key "$alice_fingerprint"

(there might be somthing easier just by using --edit-key, I haven't worked through it yet -l)

Caveats[edit]

  • Don't trust signatures you find on the noisebridge wiki.
  • Don't trust 32-bit or 64-bit short ids. They can be easily faked. See https://evil32.com/

chat log[edit]

so what's the action coming out, are we going to have an nb-wot?

was just about to say the same thing

yes

Does anyone know if there's any facilities in GPG for enabling this or should we just keep a public list?

the normal keyservers will do

i think x is taking charge on his idea of these classes to use and supplement the EFF docs he linked: https://ssd.eff.org/

ssd.eff.org

Surveillance Self-Defense Tips, Tools and How-tos for Safer Online Communications

we just need a critical mass of people with 3 marginally-trusted signatures

The tricky thing is that we want to communicate other information once we've bootstrapped GPG-trust

if anyone's in the space right now, I'm sitting on the couch by the window. let's sign.

Like signal info, etc.

how long are you going to be there?

I'll be there in a few hours

a few hours probably

I mean, I might get off the couch

I don’t plan to get into PGP at the workshop. I’m going to share the Willie Brown catchphrase “the e- in e-mail stands for evidence” and encourage people basically not to write too much sensitive stuff in email, and if they do, to delete the email afterwards rather than storing it in an encrypted form.

I should get off my couch too

It would have been much better for the DNC to regularly delete all their emails rather than try to learn PGP.

I think tor, tails, etc can be useful without any special knowledge though

Deleting emails works! It’s a trusted strategy used by mayors and governors nationwide.

mayors and governors who are at no serious risk of being under wiretap

without a prior corruption investigation

Oh yeah: Tor, Signal, installing updates, 2FA, Tails in some cases, maybe Onionshare, that kind of stuff.

this is getting wiki sized

Name Fingerprint Key Location
Zephyr <zv@nxvr.org> 9358 C8BD AAD9 A62B B08B 9660 F6F2 D044 5DC1 72F8 https://keybase.io/zetavolt/key.asc
cowlicks <cowlicks@riseup.net> D3A4 A167 C186 4747 8645 73F1 39E3 7237 0D7A A999 https://keybase.io/cowlicks/key.asc