Sorry, I noticed this message just now. -- I was the one who expressed the interest of getting the key signed before. So *bring paper copies **of our signatures* to enable exchange is the only thing need to get my key signed? -- I'm asking because if I come to today's meeting, I have to get back home now, to grab my laptop (if that paper copy is not enough and I also need to sign other people's key as well), then head back downtown again. and I'm not too sure if my GPG key is secure enough to be used & signed by other people. -- I.e., I was planning to review it once I confirm a key signing date. Can we host the key signing party in the next meeting please? because going through the message trail, I did find one more person requesting to be on the next meeting, I should be able to attend the April 10th meeting though. OK? Thx. On Fri, Mar 9, 2018 at 9:45 PM, Christopher Browne via talk - talk@gtalug.org wrote:

On 9 March 2018 at 20:56, Rouben via talk <talk@gtalug.org> wrote:

...

Hello everyone!

I’m a newbie to this list. The name is Rouben Tchakhmakhtchian; I’ve been a Linux user since about 1998 (dabbled with it a bit before that). I’m currently working at UofT in IT, and am still a die-hard open source enthusiast.

I was wondering, does the GTALUG community still organize GPG key signing events? If not, I would also like to know how much interest there would be in such an event.

Thanks in advance, and my apologies if this is an FAQ type post. I’d be happy to RTFM if you kindly point me in the right direction. :)

Cheers and have a great weekend!

It's not something that happens terribly frequently; a lot of people have over the years gotten their favoured keys signed, so there's not a continuous call for more.

That said, someone did send out a note a couple or three weeks ago expressing interest, and it's certainly something that we could take a little while discussing and doing at our next meeting this coming Tuesday.

People interested in getting keys signed should bring paper copies of their signatures to enable exchange.

It may also be worth visiting BigLumber.com that collects keys of people interested in doing key exchanges.

http://biglumber.com/x/web?sl=97

Some of the material there is pretty old, but I recognize some likely names... -- When confronted by a difficult problem, solve it by reducing it to the question, "How would the Lone Ranger handle this?" --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sergio wrote:

and a government piece of identification (if you can bring two pieces, even better).

Let me post my usual diatribe against using third-party ID for keysigning... Signing a GnuPG/PGP key is an indication that the signer believes that a particular key is controlled by the entity named on the key. It is not your third-party acknowledgement that a person is allowed to drive an automobile in Ontario, or is allowed to receive health care, or is allowed to travel to foreign lands. The GnuPG/PGP Web Of Trust is based individual knowledge of each other. It was designed specifically to avoid a central authority certifying a key or the identity associated with a key. Requiring government ID to sign a GnuPG/PGP key puts identity certification back into the hands of an authority. It's a proxy for your personal knowledge of each other. If you require government ID, if you don't believe that the key belongs to the identity named on that key, then you shouldn't be signing that key. You can establish rudimentary knowledge of each other by exchanging a shared secret in two encrypted messages, which you then exchange again in person at the keysigning. For example, I send you an encrypted and signed message with "Yellow Beard", and you send me one with "Pink Elephant". At the keysigning I ask "Yellow?" and you reply "Beard!", then you ask "Pink?" and I reply "Elephant!" This verifies we've received each others' encrypted mail, and gives some assurance that we each really own the GnuPG/PGP keys on that e-mail. It can be done the other way as well -- exchange the shared secret in person first, then verify with an encrypted and signed message later. The best way to establish trust for another person is to know them. But even if you've never met in person, if you've exchanged signed or encrypted e-mail over the long term then you have some knowledge of each other, and you can decide if your e-mail correspondent is really the person you're meeting at the keysigning. This is why I sign every e-mail message I write. Without ever having met me or signing my key, you can be sure that every message with my signature comes from the same person, and you can judge from my writing and speaking style that the person you meet is the same person who sent those messages on the list. In fact, some people will sign a key based simply on long-term e-mail correspondence without ever meeting that correspondent, verifying that the signer believes that key belongs to the e-mail address they know so well. A key could also be held by an organization such as GTALUG, or it could even represent an event such as a keysigning. There's no government ID for that. Will you require to see the GTALUG articles of incorporation for anyone using an @gtalug.org e-mail address? I do recommend that the keymaster for a keysigning event generates a key specifically for that event. Signing such a key means the signer believes that key is used to represent attendance at the keysigning, and having a keysigning key's signature on your key means that you attended that keysigning event. That's extra work for the keymaster, but gives an added level to the Web of Trust. I'm sorry that I won't be able to come to Toronto for a keysigning anytime in the near future; maybe a keysigning could be a regular feature every few months or so. I've written about running keysigning parties: http://bob.jonkman.ca/blogs/2011/10/14/how-to-hold-a-key-signing-party/ https://sobac.com/wiki/Formal_Keysigning https://sobac.com/wiki/Informal_Keysigning https://sobac.com/wiki/Guidelines_for_Key_Signing_Parties - --Bob. On 2018-03-10 03:53 PM, Sergio Durigan Junior via talk wrote:

On Friday, March 09 2018, Rouben via talk wrote:

...

I’m a newbie to this list. The name is Rouben Tchakhmakhtchian; I’ve been a Linux user since about 1998 (dabbled with it a bit before that). I’m currently working at UofT in IT, and am still a die-hard open source enthusiast.

I was wondering, does the GTALUG community still organize GPG key signing events? If not, I would also like to know how much interest there would be in such an event.

Hi Rouben,

I sent an e-mail recently about doing a keysigning party at the next meeting, which will be on the 13th. One more person manifested interest, and now you also said you would like to do it. That's great. I think we should look for each other during the next meeting (or maybe do an announcement after the meeting is over but before going to the pub?) and do the signings.

As has been said already, each person who is interested in getting their keys signed MUST bring paper slips containing information about their keys (on Debian GNU/*, you can install the "signing-party" package, which comes with the "gpg-key2ps" tool), and a government piece of identification (if you can bring two pieces, even better).

We can do the signing either in the classroom or in the pub, whatever is more convenient.

Cheers,

--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk

- -- Bob Jonkman <bjonkman@sobac.com> Phone: +1-519-635-9413 SOBAC Microcomputer Services http://sobac.com/sobac/ Software --- Office & Business Automation --- Consulting GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Ensure confidentiality, authenticity, non-repudiability iEYEARECAAYFAlqlh00ACgkQuRKJsNLM5eowTQCdG40A9N5kGZ6IQZLUq/hwPKWL Z2gAn2ZKcxIHmcxS5XlbHwAGdr/jDypk =QfCn -----END PGP SIGNATURE-----