[ale] PGP/GPG Keysigning party! ALE Central November 19th.

[greg.freemyer at gmail.com (Greg Freemyer)]

On Wed, Oct 28, 2009 at 10:57 AM, Michael B. Trausch
<mbt at zest.trausch.us> wrote:
> On Wed, 2009-10-28 at 10:41 -0400, Jim Lynch wrote:
>> I for one would like to know exactly what this activity is good for.
>> I
>> ?understand that one of the uses of these keys is to be sure an email
>> ? is from who you think it is. ?Exactly what activities are you guys
>> ? involved in that require that level of security? ?Obviously you are
>> ? doing something other than sending responses to the various
>> ? questions/issue on this list.
>>
>> I'm not criticizing, just very puzzled 'cause I have no real idea of a
>> ?practical use for this level of security.
>>
>> Thanks for the enlightenment.
>
> GPG signatures are good for the case where you want to see if the
> message was altered in transit. ?However, where they really shine is
> encrypted communications. ?Everything you write on the Internet and send
> by way of HTTP (not HTTPS) and email (which is inherently insecure) is
> sent in plain old, very readable and modifiable text.
>
> Here's an example.
>
> Imagine that you're writing to a friend to tell her what you're getting
> for various members of her family. ?Now, imagine that I am her husband,
> and I control that network, and that I am a nosy bastard. ?Your message
> is probably screened through some program and I see it and read it. ?I
> can also modify it; she'll never know.
>
> Imagine the same situation, but instead, I work for her ISP and am not
> her husband. ?I can see the message as it passes through my network,
> optionally logging it and reading it later should I choose to do so. ?In
> fact, I have no reason to believe that ISPs don't already do this with
> unencrypted communications. ?After all, they're the prime points of
> interception on this great big network. ?They can intercept, modify, and
> then deliver the message---without detection.
>
> Now, imagine that I am the President. ?(That ought to be good for a
> laugh.) ?I sign an Executive Order compelling some random other entity
> or person in the government to begin collecting and analyzing all
> plaintext traffic on the Internet and logging it and attributing it to
> those who wrote it, watching for bad behavior and being the Big Brother
> we all don't want to have power. ?(They already do some form of this
> already, actually, or at least they did.) ?If it becomes convenient they
> can compel an ISP to cooperate and intercept messages so that the
> government can modify them and send the modified versions to their
> recipients. ?If messages carry OpenPGP signatures, this is not possible
> (well, not likely*) and the government cannot insert itself into the
> dialogue. ?With encryption, the government cannot even see what is being
> said. ?Same goes for the ISP, or that pesky nosy neighbor that is on the
> same cable network as you are and is snooping around the node for
> anything that looks to be "interesting".
>
> ? ? ? ?--- Mike

I get all of the above by pulling your public key from a key server
and using pgp.

The purpose of a signing party is to allow me to have confidence that
the "Michael B. Trausch" whom is part of ALE is the same person that
has a key on the key server.

Like Jim, I'm not sure I need that for very many of the ALE'ers.

And for the few I might need that for I can call them and say, "I
pulled your public key from the key server, can you send me a pgp
encrypted email so I can verify the public key I have is actually
yours".

So, my question is not "What is pgp good for?".  My question is "What
is a key signing party good for?"

Thanks
Greg