SFD09 – The final call for volunteers

> Hello,
>
> As you all know Software Freedom Day 2009 is due to take place on
> Saturday, 19th September at the University of Manchester
> <http://manchester.fsuk.org/blog/2009/09/08/manchester-software-freedom-day-19th-september-2009/>
> and many of you have already expressed a keen interest in attending
> and participating.
>
> Now that we are less then two weeks away, it is time to finalise these
> arrangements and get your name on the SFD team wiki
> <http://softwarefreedomday.org/teams/europe/uk/manchester>.

>>
>>
>
> i'm definitely going to be around this saturday (moving into halls and
> preparing for the induction week)
>
> i'm a coder[1] (over towards the OS end of the FOSS spectrum) and an
> Apache Member[1] with an interest (if you can call it that) in legal
> (and licensing) issues, community building and FOSS organisational
> structures.
>
> looks like the stuff you're planning is all aimed at end user
> evangelism. which is cool. outside practical crypto, this isn't my
> strength. but if it turns out you find yourselves short of someone to
> pick up some of the more esoteric technical stuff (coding, legal,
> licensing or organisational), then i'd probably be able to do a lot of
> that off the cuff. i'll try to drop in early and leave a mobile phone
> number.
>
> given the progress made on breaking SHA-1[3], i'm very keen to swap my
> new openpgp code signing key with others in the FOSS web of trust. if
> there are people interested, i'd be happy to do key signing party (if
> there isn't one already) or talk people through how to set up GnuPG[4]
> to generate strong keys and strong links in the WOT[4][5].

> On 17 Sep 2009, at 12:26, Robert Burrell Donkin
> <robertburrelldonkin@...> wrote:
>
> [snip]
>
>>>
>>>
>>
>> i'm definitely going to be around this saturday (moving into halls and
>> preparing for the induction week)
>>
>> i'm a coder[1] (over towards the OS end of the FOSS spectrum) and an
>> Apache Member[1] with an interest (if you can call it that) in legal
>> (and licensing) issues, community building and FOSS organisational
>> structures.
>>
>> looks like the stuff you're planning is all aimed at end user
>> evangelism. which is cool. outside practical crypto, this isn't my
>> strength. but if it turns out you find yourselves short of someone to
>> pick up some of the more esoteric technical stuff (coding, legal,
>> licensing or organisational), then i'd probably be able to do a lot of
>> that off the cuff. i'll try to drop in early and leave a mobile phone
>> number.
>>
>> given the progress made on breaking SHA-1[3], i'm very keen to swap my
>> new openpgp code signing key with others in the FOSS web of trust. if
>> there are people interested, i'd be happy to do key signing party (if
>> there isn't one already) or talk people through how to set up GnuPG[4]
>> to generate strong keys and strong links in the WOT[4][5].
>
> Excellent, thanks for getting in touch. I know a few people in the group
> with similar interests so you won't feel left out if you do decide to attend
> on Saturday.

> On Thu, Sep 17, 2009 at 1:52 PM, Simon Ward <simon@...> wrote:
>> On Thu, Sep 17, 2009 at 12:26:37PM +0100, Robert Burrell Donkin wrote:
>>> given the progress made on breaking SHA-1[3], i'm very keen to swap my
>>> new openpgp code signing key with others in the FOSS web of trust. if
>>> there are people interested, i'd be happy to do key signing party (if
>>> there isn't one already) or talk people through how to set up GnuPG[4]
>>> to generate strong keys and strong links in the WOT[4][5].
>>
>> I’m happy to join in and help with this.
>
> cool :-)
>
> what's be the best way to get organised? are there enough people with
> keys to do a formal party? or would something ad hoc be better?
>
> - robert

> On Thu, Sep 17, 2009 at 06:15:54PM +0100, Leslie I'Anson wrote:
>>> what's be the best way to get organised? are there enough people  
>>> with
>>> keys to do a formal party? or would something ad hoc be better?
>
> A formal key-signing party would ideally have prepared lists of
> fingerprints sent to the coordinator before the event, and I don’t t
> hink
> there is enough time before SFD to do this.
>
> Because of the nature of the event we don’t have a fixed list of poe
> ple
> going (except maybe a core who have said they’ll be there).
>
> For these reasons I’d go for ad-hoc.
>
>> My advice would be to hold a workshop (or two) first. Then numbers
>> won't be so much of a problem.
>
> I think workshops would be useful, but I think the idea of people  
> being
> shown how, followed by generating their own keys, and then doing the
> verification for signing is iffy.

>
>
> Simon
> --
> A complex system that works is invariably found to have evolved from a
> simple system that works.—John Gall
> _______________________________________________
> Fsuk-manchester mailing list
> Fsuk-manchester@...
> http://lists.nongnu.org/mailman/listinfo/fsuk-manchester

> On 17/09/2009, Robert Burrell Donkin <robertburrelldonkin@...> wrote:
>> On Thu, Sep 17, 2009 at 1:52 PM, Simon Ward <simon@...> wrote:
>>> On Thu, Sep 17, 2009 at 12:26:37PM +0100, Robert Burrell Donkin wrote:
>>>> given the progress made on breaking SHA-1[3], i'm very keen to swap my
>>>> new openpgp code signing key with others in the FOSS web of trust. if
>>>> there are people interested, i'd be happy to do key signing party (if
>>>> there isn't one already) or talk people through how to set up GnuPG[4]
>>>> to generate strong keys and strong links in the WOT[4][5].
>>>
>>> I’m happy to join in and help with this.
>>
>> cool :-)
>>
>> what's be the best way to get organised? are there enough people with
>> keys to do a formal party? or would something ad hoc be better?
>>
>> - robert
>
> My advice would be to hold a workshop (or two) first. Then numbers
> won't be so much of a problem.
>
> On proposal would be:-
>
> Workshop 1 - Introduction to the technology and tools, etc. (ie. theory + demo)
> Workshop 2 - Generating keys, etc. (ie.putting theory into practice)

> On Thu, Sep 17, 2009 at 6:15 PM, Leslie I'Anson <leslie.ianson@...>
> wrote:
>> On 17/09/2009, Robert Burrell Donkin <robertburrelldonkin@...>
>> wrote:
>>> On Thu, Sep 17, 2009 at 1:52 PM, Simon Ward <simon@...> wrote:
>>>> On Thu, Sep 17, 2009 at 12:26:37PM +0100, Robert Burrell Donkin wrote:
>>>>> given the progress made on breaking SHA-1[3], i'm very keen to swap my
>>>>> new openpgp code signing key with others in the FOSS web of trust. if
>>>>> there are people interested, i'd be happy to do key signing party (if
>>>>> there isn't one already) or talk people through how to set up GnuPG[4]
>>>>> to generate strong keys and strong links in the WOT[4][5].
>>>>
>>>> I’m happy to join in and help with this.
>>>
>>> cool :-)
>>>
>>> what's be the best way to get organised? are there enough people with
>>> keys to do a formal party? or would something ad hoc be better?
>>>
>>> - robert
>>
>> My advice would be to hold a workshop (or two) first. Then numbers
>> won't be so much of a problem.
>>
>> On proposal would be:-
>>
>> Workshop 1 - Introduction to the technology and tools, etc. (ie. theory +
>> demo)
>> Workshop 2 - Generating keys, etc. (ie.putting theory into practice)
>
> the theory's a bit dull and requires a lot of technical terms to be done
> right
>
> i think that a single hands-on workshop would probably work better. if
> enough people bring along laptops then we can break into small groups
> clustered around those laptops and play around with demo keys based
> around some practical problems.
>
> it'd probably be more fun than listening to myself lecture on prime
> number theory for a couple of hours ;-)
>
>> Reward - Key signing "party" (ie. lots of people we new keys to sign)
>
> any key signing party needs to be a separate event (for security
> reasons). the only demo keys not intended for distribution should be
> used at a workshop. but yes, i can organise a formal key signing party
> after the workshop.
>
>
> i would like to try to meetup with anyone who already uses OpenPGP
> since the benefits of signing a key depend on how connected that key
> is
>
> suppose Alice is well connected to the Apache WOT. then most Apache
> release managers will be linked within the three steps that a typical
> trust model uses. Suppose Bob is not well connected. if Bob can verify
> Alice's identity and key fingerprints in person then Bob can verify
> the vast majority of Apache releases.  Alice gains only the ability to
> verify signatures from Bob in return. Bob gains a lot from this
> exchange and Alice very little.
>
> suppose now that Dawn is a well connected Debian maintainer. when
> Alice and Dawn meet personally and verify each other keys the gain is
> high. everyone within two hops of Alice is now connected to everyone
> within one hops of Dawn and vice versa. this is a big gain for the
> FOSS WOT.
>
> my new key is well connected to the Apache WOT through the old key
> one. i'll have my passport and cards with my key fingerprint on.
> anyone how wants to be able to sign my key so they can verify Apache
> releases (and many other FOSS signatures too) is more than welcome to
> take a look and a card. they don't even need to have a key now: if
> they keep the card safe then they can safely sign at any time in the
> future.
>
> if there are going to be people with existing keys there, maybe we can
> pick a time to meetup...
>
> - robert
>

> On Fri, Sep 18, 2009 at 2:44 PM, Dave Page <grimoire@...>
> wrote:
>> On Friday 18 September 2009 13:19:42 Robert Burrell Donkin wrote:
>>
>>> my new key is well connected to the Apache WOT through the old key
>>> one. i'll have my passport and cards with my key fingerprint on.
>>
>> See, signing keys using passports is IMHO a bad idea, which is why it's
>> worth
>> having a discussion about keysigning, what it involves and what you're
>> trying
>> to achieve with it.
>
> my primary use case is release security but public key cryptography is
> flexible and can be used for lots of different stuff
>
> please feel free to kick off the discussion :-)
>
>> I won't (indeed, can't) take part in a keysigning that
>> requires passports.
>
> i will have my passport and my fingerprint. if you don't want to see
> my passport, that's cool with me.
>
> the great thing about OpenPGP is that it's design allows hetrogeneous
> trust choices and multiple trust model
>
> my policy is that i don't create public signatures with my code
> signing key unless i have been able to confidently verify identity.
> this is not unusual for keys used to secure release infrastructure.
>
> other people have different policies. some people have different
> policies for different keys. that's all cool by me.
>
> the only downside of not bringing photo id to a keysigning is that
> some people may elect not to sign your key (or not to publish the
> signature)
>
> - robert
>
>
> _______________________________________________
> Fsuk-manchester mailing list
> Fsuk-manchester@...
> http://lists.nongnu.org/mailman/listinfo/fsuk-manchester
>

> On Fri, Sep 18, 2009 at 02:44:02PM +0100, Dave Page wrote:
>> See, signing keys using passports is IMHO a bad idea, which is why it's worth
>> having a discussion about keysigning, what it involves and what you're trying
>> to achieve with it. I won't (indeed, can't) take part in a keysigning that
>> requires passports.
>
> Verifying identity using *only* passports is probably a bad idea, but
> it’s not black and white.  With the passport, you essentially have a
> third party that you presume (or not) has done some verification that
> you may or may not trust to some extent.  It’s up o you to make that
> decision.