Originally Published: Friday, 24 November 2000 Author: Amanda J. Waterman
Published to: daily_feature/Linux.com Feature Story Page: 1/1 - [Std View]

The Philadelphia Linux Web of Trust

Neat! Every month, people hang out after the Philadelphia Linux User Group and Philadelphia Area Debian Society meetings and exchange gpg fingerprints and keys. This isn't just a great way to authenticate yourself, it's also a great way to get out and meet fellow Linux enthusiasts! Amanda Waterman, Assistant Project Manager of the LUG section of Linux.com, tells us how Darxus and his friends at PLUG make it happen.

When we hear of Users Groups participating in new, different and exciting activities, we feel the need to get the word out for anyone else who may like to join them in the endeavor or try it for him or herself.

One such activity is the Web of Trust. Darxus with PhillyLUG wrote in to tell us about PLUG's venture with PADS. Both groups have come together to develop a Web of Trust. At the end of each of their respective meetings, they gather for keysigning parties. According to Darxus, "I think it's gone rather well. It's fun, and falls well within the interests of the kinds of people who show up."

GNU Privacy Guard (GPG) is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions.

"More info and pretty graphs of signature relationships can be found at http://www.phillylinux.org/keys. GPG (www.gnupg.org) does public key encryption, like PGP. You can encrypt stuff so that only the intended recipient (not even you) can decrypt it, and you can cryptographically sign something so than anyone can verify that you signed it, and it hasn't changed (to maintain file integrity). Many things, including the Linux kernel, have gpg/pgp signatures available with the downloadable files so that they can be verified."

"You can also sign someone else's public key as evidence for others that the person whose key you signed is who they claim to be. The way I do it is, I ask everyone who wants to participate to email me their public key before the meeting, and then bring photo ID (license or passport), and a verified copy of their fingerprint to the meeting. I then print out all the fingerprints (w/ gpg --fingerprint ID1 ID2....) and distribute a copy to each participant at the meeting."

"We gather in a circle, and then one at a time, each person says their name & email address, and then reads off their verified fingerprint, so that everyone else can verify the fingerprint. Then they pass around their photo ID."

"When everyone gets home, they sign the keys they've verified, and then email me the signature. I merge them all into 1 keyfile, and graph it, and put that up on the URL listed above. I think the graph helps people understand and appreciate it, and increases interest in participation."

"I believe there's been at least one guy that showed up for a keysigning that I'd never seen before. The reason we started doing keysignings is because it is the suggested way to verify your identity when becoming a Debian developer."

To Participate:

Darxus continues...

To get your public key into a file to E-mail me, do something like "gpg -a --export > file". This will write all public keys you have to "file" -- you can specify your email address to only write your own key. To get a copy of your fingerprint to print (or write) out & verify to bring to the meeting, do "gpg --fingerprint". It should look something like this:

pub 1024D/0E9FF879 2000-09-05 Darxus Darxus@ChaosReigns.com

Key fingerprint = DE37 8846 3B06 B97C F661 D68F 7FB5 B0BE 0E9F F879
sub 1024g/2EEAB976 2000-09-05

"I also downloaded all the keys that had signed all the keys in my keyring, several times, until I had roughly 6 levels of recursion. Then, I wrote sigtrace to trace the signature relationships through the keyring. I've traced trust relationships from myself to the Linux Kernel key, and from the following to myself:

Linus Torvalds
Wichert Akkerman
Steve Wozniak
Philip R. Zimmermann
Eric S. Raymond

A graph of these results can be found here.

"If I had not participated in these keysigning parties, these signature paths would not connect to me. Being able to show connection to famous people like this could probably also encourage participation."

With LUG members keyswapping, it won't be too long before everyone in the Linux community can communicate in an open way without fear of someone 'stealing' their E-mail address. Also, having a point of contact like a LUG meeting means you'll get to meet your 'trusted' friends live and in-person. Thanks, Darxus!

Related Links

Philadelphia Linux Web of Trust / GPG Keyring

Graphing the Debian Keyring Web of Trust

GPG/PGP Signature Tracing

Keysigning Party Guide

The GNU Privacy Guard