Chris Quenelle's Weblog
Thoughts on developer tools.

Sunday February 05, 2006

Keysigning...

I've been reading about keysigning parties today, and trying to study about OpenPGP (which uses a so-called "web of trust" and S/MIME (which uses "certificate authorities"). S/MIME is simpler to use and it's top-down. You get an official company to vouch that your cryptographic key (your certificate actually) really belongs to someone with your name and email address. With OpenPGP, it's other OpenPGP users who vouch for you. Keysigning parties are where you get together in person with other PGP users and sign each other's certificates.

I'm looking at the issue from an identity point of view, and not from a security point of view.  I haven't figured out why there's no mention of signing each other's certificates online.  If I know someone via email and/or IM, when can't I run a little utility program on my computer that validates someone else using email or IM?  The cryptographic theory is that the "Jim Smith" I know over email might not actually be named "Jim Smith" in his own warm and breathing flesh. (Like I care). So in theory, I have to meet them in person.  Of course, meeting them in person doesn't guarantee they aren't D. B. Cooper with a fake ID. "But hey," (the crypto-wonks say) "it's a guarantee that your security hasn't been compromised by a man-in-the-middle attack."

The vast majority of us aren't important enough for anyone to scam us in that way.  If you tell your buddy that you're going to be out of town over the weekend, and you use an unsecured IM channel to tell them that, then it's pretty unlikely someone is going to eavesdrop on you and use that information to rob your house.  Unless you're Bill Gates.

So can someone explain it to me?  Wouldn't OpenPGP be much more successful if you could trust people that you met online?  After all, you're not vouching for their credit rating or anything, you're just verifying they are a "real" person who answers to some specific name and email address.

Posted by Chris Quenelle ( Feb 05 2006, 09:52:27 PM PST ) - Permalink - Comments [1] - Software Philosophy

Older blog entries:

• Blog relocation
• C++ and OpenMP runtime libraries in Solaris
• command-not-found for OpenSolaris?
• Goodbye Solaris 9 (for Sun Studio)
• git user's guide?
• New Sun Studio FAQ site
• Dbx versus gdb
• Django (actually MySQL-python) and RPATH
• SXDE 5/07 -- Solaris Express Developers Edition
• Debugging tips for threaded programs on Solaris
• New dbx blog!
• libumem dbx module update (works on Solaris 9 now)
• Using dbx and libumem to find memory problems
• Latest Sun dwarf extensions
• dbx .ldynsym support - stack traces for stripped programs
• Using LDAP inside Sun
• gnome kstats
• Calling Sun Studio users...
• Compiler options by category and platform
• What do you call 64-bits?
• Sun Studio resources on genunix.org
• mod_auth_ldap
• Find Data Races and Deadlocks
• Goodbye -xarch=amd64, hello -m64
• Intel and Sun
• Sun Studio Express 3 lives again!
• Sun Studio Express 3 -- bad tarballs
• Sun Studio Wiki
• Introduction to Functional Programming Concepts
• OpenID starting to take off (finally)
• Dwarf and XML
• Sun Studio Express 3 (new GUI!)
• The latest Nevada/dbx bug
• Patch Check Advanced
• Dbx help docs in HTML
• Performancing at work.
• Performancing
• I keep forgetting how closures work...
• malloc interposition can't possibly work reliabily
• Dbx can crash with g++ symbols
• Sun Studio and patchadd -G
• Linux dbx patch available!! (for Sun Studio 11)
• Enterprise versus The Developer
• Data Race in my last example
• Graphical display of thread synchronization
• Attempting to tame StarOffice HTML
• My single greatest accomplishment
• Empty hallways ...
• Red Hat versus Ubuntu
• Markets without Marketing
• Instruction set selection in Sun Studio and gcc (Grudge match: -xarch versus -fast)
• Linux compilers update
• Community and Terminology
• Data Race Detection Tool and Sun Studio Express
• Fast threads
• /bin considered harmful
• AMD64 Nevada b37-b40 doesn't like dbx
• Solaris 10: Ack! Where did my archive libraries go?
• Anti-help
• Taking the plunge!
• Why can't dbx find my function?
• Solaris Day at the University of Washington
• Getting started with dtrace
• parallel features of dmake and gmake
• Linux headers are gcc-specific
• 32 versus 64-bit programs
• Sun Studio and Solaris integration
• Conform
• How to use libumem to find a bad free call
• Reporting bugs
• New blog theme
• Blogging client
• Page-o-links (good Sun Studio links!)
• Installing dual boot
• Blogger RTE editor
• Optimizing synchronization
• Keysigning...
• Sun email servers
• FREE SUPPORT for Sun Studio compilers and tools
• Using separate .dbg files with dbx
• Beyond Java
• CMT and MT
• Johnny L's layup
• misligned ELF section headers
• Sun Studio IDE -- turning off locals
• Two bad Solaris bugs that affect dbx users
• Supporting threads is harder than it seems
• Non-java developers unite!
• Sun Studio 11, less expensive than ever!
• Importing debug information into dbx
• The story of lazy stabs
• java google toolbar
• MAP_NORESERVE and dbx
• debug info in XML, and DSD 2.0
• shadows.com
• Concurrency utils for C/C++
• simple umem integration with dbx
• The Good Old Motif Workshop IDE
• Give it away for free, and make it up in volume!
• Technorati