This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 26 June 2022
      I've never played #Minecraft - Is this #Federated software? Is it #FreeSoftware? If so, how can Microsoft control what's happening on someone's private server? Even if such code existed in a #FreeSoftware application, I would have thought there'd be a fork that eliminates that external control. It's time for that now. But if #Minecraft isn't […]
    • bobjonkman repeated a notice by lnxw48a1 26 June 2022
      RT @lnxw48a1 Seen via @sullybiker https://freeradical.zone/@thenewoil/108539077382008407 Microsoft bans in #Minecraft will soon carry over to privately run servers as well. One commenter said "Seems like there is a really simple solution here: Don't be a toxic asshole on a public server." But once $CORPORATION starts interfering with privately hosted servers in any way, those servers' […]
    • New note by bobjonkman 27 May 2022
      Mind you, there's something charming and soporific about listening to a professional baseball game with an old-fashioned, laid-back announcer. But most of those have retired... #ASMR
    • New note by bobjonkman 27 May 2022
      Applies to all professional #Sportsball: begging to see overpaid drug-users doing something that the rest of us would gladly do for free. When I walked our dog we'd pass the local baseball field, and we'd stop and watch the game for hours. But the one time I went to a professional baseball match (Toronto Blue […]
    • New note by bobjonkman 19 May 2022
      I've had all my clocks and watches on 24hr time ever since...
    • New note by bobjonkman 19 May 2022
      When I was a young pup, just started my first job. Woke up at 4:30 one day, panicked, "I've slept through the whole day, I'll get fired!!" It was 4:30am, of course. Don't recall if I got back to sleep or not.
    • bobjonkman repeated a notice by lnxw48a1 19 May 2022
      RT @lnxw48a1 I woke up around 02:45, thinking it was 07:45. Before 03:00, I realized it wasn’t time to get up. I still really feel the lack of #sleep 💤.
    • Favorite 19 May 2022
      bobjonkman favorited something by lnxw48a1: I woke up around 02:45, thinking it was 07:45. Before 03:00, I realized it wasn’t time to get up. I still really feel the lack of #sleep 💤.
    • New note by bobjonkman 14 May 2022
      "A Supreme Court that doesn't give a damn what the public wants ... is exactly what a Supreme Court is for, actually." True enough. But elected representatives in government *are* supposed to do what people want, that's why they get elected. If they had fulfilled their obligations to actually represent the citizens' wants then the […]
    • bobjonkman repeated a notice by clacke 14 May 2022
      RT @clacke People, not all people but most people, are angry about the wrong thing. I agree that Roe v Wade being canceled is a bad outcome. I agree that women should have the right to their bodies, but here's my possibly unpopular take: A Supreme Court that doesn't give a damn what the public […]

Archive for October, 2011

How to hold a Key Signing Party

Posted by Bob Jonkman on 14th October 2011

Key in lock

Key by Quasimondo

While planning a Keysigning Party, the organizer suggested that among the things to bring:

Some ID would also be a good idea, for those who do not already know you.

No no no.

If people don’t know you, then they shouldn’t be signing your key. If you don’t know someone, then you shouldn’t be signing their key.

Using ID of any sort is assigning trust by proxy to an “authority”. You’re no longer vouching for a person based on your own knowledge, but relying on the “authority” to provide that trust. If you’re going to rely on third-party authorities you might as well revert to a hierarchical PKI and pay lots of money to a certificate authority to assign levels of trust for you.

The point of the keysigning is to associate a key value with a real person, with no opportunity for a Man in the Middle attack [1]. It is not to verify name, address and permission to drive in Ontario.

When I sign your key it is not because the government says that you’re allowed to drive under your name, but I sign your key because I believe that you’re the same guy who drinks Jagermeister and hacks on Blackberries and hangs out at the Syrup Festival. It is based on my personal knowledge of you, and my trust in your claim that you own the GPG key with fingerprint D2CCE5EA [2].

The Web of Trust extends this, so that since I trust your identity and judgment, I’m also likely to grant some level of trust to the people you trust. After a successful keysigning party then I’m going to trust many more people because they’re all trusted by people I trust. And I’ll be trusted by more people, because they trust the people who have signed my key.

So, how do you hold a keysigning party? Here’s an excerpt from the PGP FAQ:

I’ve written complete instructions for holding a Formal Keysigning.

The comp.security.pgp FAQ

Wouter Slegers

This FAQ is copyright © 2001 by Wouter Slegers.

It may be distributed freely in online electronic form, provided the copyright notice is left intact. Since this FAQ is always available from USENET and the PGP network, there should be no problems getting access to it. However mirrors with outdated versions can confuse the users, so I request you not to mirror this FAQ elsewhere.

[…]

Q: What’s a key signing party?

A: A key signing party is a get-together with various other users of PGP for the purpose of meeting and signing keys. This helps to extend the web of trust to a great degree, making it easier for you to find one or more trusted paths to someone whose public key you didn’t have.

Kevin Herron has an example of a keysigning party announcement page [3].

Q: How do I organize a key signing party?

A: Though the idea is simple, actually doing it is a bit complex, because you don’t want to compromise other people’s private keys or spread viruses (which is a risk whenever floppies are swapped willy-nilly). Usually, these parties involve meeting everyone at the party, verifying their identity and getting key fingerprints from them, and signing their key at home.

Derek Atkins has recommended this method:

There are many ways to hold a key-signing session. Many viable suggestions have been given. And, just to add more signal to this newsgroup, I will suggest another one which seems to work very well and also solves the N-squared problem of distributing and signing keys. Here is the process:

  1. You announce the keysigning session, and ask everyone who plans to come to send you (or some single person who will be there) their public key. The RSVP also allows for a count of the number of people for step 3.

  2. You compile the public keys into a single keyring, run pgp -kvc on that keyring, and save the output to a file.

  3. Print out N copies of the pgp -kvc file onto hardcopy, and bring this and the keyring on media to the meeting.

  4. At the meeting, distribute the printouts, and provide a site to retrieve the keyring (an ftp site works, or you can make floppy copies, or whatever — it doesn’t matter).

  5. When you are all in the room, each person stands up, and people vouch for this person (e.g., “Yes, this really is Derek Atkins — I went to school with him for 6 years, and lived with him for 2”).

  6. Each person securely obtains their own fingerprint, and after being vouched for, they then read out their fingerprint out loud so everyone can verify it on the printout they have.

  7. After everyone finishes this protocol, they can go home, obtain the keyring, run pgp -kvc on it themselves, and re-verify the bits, and sign the keys at their own leisure.

  8. To save load on the keyservers, you can optionally send all signatures to the original person, who can collate them again into a single keyring and propagate that single keyring to the keyservers and to each individual.

I’m going to have to put my key signature where my mouth is. Hopefully there will be another key signing party soon, for which I will be more prepared.

–Bob.

[1] Yes, it is still possible to have a meatspace MitM attack if you’re signing keys for people you don’t know and relying on ID. If you’ve never met me before then it is possible that someone mugs me in the parking lot, takes my ID and wears my goofy hat. If you don’t know me you would never be able to tell the difference, and you’d be signing a key for the wrong person.

[2] Although that’s really my PGP key, so as not to divulge the identity of innocent and unsuspecting Key Signing Party Organizers.

[3] Sadly, Kevin Herron makes the same mistake of requiring "Positive picture ID". Please ignore that part.

Key by Quasimondo is used under a Creative Commons by-nc license.

Tags: , , , , , , , , , , , , , ,
Posted in PGP/GPG, privacy | 1 Comment »

The Verdict on Google Plus: Mostly Harmless

Posted by Bob Jonkman on 13th October 2011

Don't Panic, They're Only Vogons

Don't Panic, They're Only Vogons by Patrick Hoesly

After dissing Google Plus I was persuaded to try it out for a while before rendering a verdict. So now it’s been over two months, and my verdict is: Mostly Harmless.

When I get home after a hard day of working with a computer, I sit down for a pleasant evening of relaxation with a computer. I read my e-mail, read the news, and read the microblogs. I subscribe to 55 people on Identi.ca, and I follow 84 people on Twitter. Those 139 people generate sufficient 140 character messages to keep me reading until bedtime and beyond.

But on my Google Plus account, I have 27 people in my circles. Those 27 people create a lot of large messages. In fact, they generate a lot more content than my 139 Identicats and Tweeple, since Google Plus puts no limit on the size of messages.

22 of the 27 people are in my Tech Circle. But instead of receiving only technical content from these people, they’re posting messages about vacations, favourite bands, philosophy, and yes, pictures of cats.  Now, this happens on the microblogs too, but on a microblog it’s limited to 140 characters, and I can ignore them.  On Google Plus the posts are much longer, have pictures attached, comments from other people, and those ubiquitous “John Q. Public originally shared this post” and “Click to +1 this post”.  Google Plus does not have the tools to filter messages by content, or even a method to collapse a conversation thread.

There’s no Atom/RSS feed, so I can’t use my preferred feed reader to analyze, sort and organize my Google Plus message stream. And I don’t know of any third-party applications to read, write and manage content on Google Plus. Google Plus does allow the export of all its content, under Account Settings, Data Liberation. Contact info is in the standard vCard format, suitable for importing into addressbooks.

Kudos to Google for giving users useful control of their data. Still, Google also has access to that data, and continues to collect ever more. In the past I’ve recommended Google Mail as a preferred no-cost e-mail host. Recently Google has taken to verifying new users by requiring them to supply a phone number. Google then sends a text message for the user to enter into the registration form. This is a level of data collection that I find creepy, and so I no longer recommend Google Mail.

Finally, to top it all off are the Google Nymwars. Much has been written about why Google’s policy of requiring real names is wrong-headed. Some people whom I might follow have stopped using Google Plus because of the nymwar controversy. I think I’ll be joining them in disdaining Google Plus.

  • Google Minus: Banality of user content (not Google’s fault)
  • Google Minus: Lack of management tools
  • Google Plus: User control over data
  • Google Minus: Google control over data
  • Google Minus: Nymwars

I think that Google Plus is not the Facebook Killer the folks in Mountain View want it to be.



The image 740 – Towel Day – Pattern by Patrick Hoesly is used under a Creative Commons Attribution 2.0 Generic (CC BY 2.0) license.

Tags: , , , , , , , , , , , , , , , , ,
Posted in considered harmful, Google, Google Free, Microblogging, Social Media | Comments Off on The Verdict on Google Plus: Mostly Harmless

 
Better Tag Cloud