Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of...
Transcript of Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of...
![Page 1: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/1.jpg)
Modern Keysigning
![Page 2: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/2.jpg)
How to Keysign:
- Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA
![Page 3: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/3.jpg)
- O(n) - O(n²) This is a typical keysigning protocol It is hard to set up
![Page 4: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/4.jpg)
@FOSDEM 2011
![Page 5: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/5.jpg)
242 registered participants
![Page 6: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/6.jpg)
Keysigning "parties" suck
![Page 7: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/7.jpg)
A party without beeronly to obtain fingerprints
![Page 8: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/8.jpg)
Keysigning "Parties" are not fun people miss them They don't print anything Single point of failure
![Page 9: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/9.jpg)
Base2
0110000100001100101100100101001000110111101100110111000011101001111010110010000100001000111010001001110011101110000110110110101100000101100110110101100110001110
![Page 10: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/10.jpg)
Pros: Very accurate, hard to misread Cons: Very long
![Page 11: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/11.jpg)
![Page 12: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/12.jpg)
Base16
610CB25237B370E9EB2108E89CEE1B6B059B598E
![Page 13: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/13.jpg)
Pros: looks familiar to nerds Cons: Hard to distinguish characters
![Page 14: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/14.jpg)
![Page 15: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/15.jpg)
Verifying fingerprints is hard
![Page 16: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/16.jpg)
Base64
YQyyUjezcOnrIQjonO4bawWbWY4=
![Page 17: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/17.jpg)
Pros: Shorter than other things Cons: Probably too big of an alphabet
![Page 18: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/18.jpg)
Base58Check
9r9knGannSDvoJyUoGbgyWDUeWGdx7rUC
![Page 19: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/19.jpg)
Keyart
+-------------------+| . || : ? ||. . ? i ||.. . . ^ : ||^ ^ ^ ^ . || l ^ . ^ S ||. ( ^ . || E ^ . ||... || ^^ ||.^. |+-------------------+
![Page 20: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/20.jpg)
Pros: Probably simpler to compare Cons: Easy to have collisions
![Page 21: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/21.jpg)
Eventually, you've verified the fingerprintand the identity.You try to obtain an authentic copy of the key.
![Page 22: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/22.jpg)
short key idsevil32.com
![Page 23: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/23.jpg)
Of course you don't use short key ids. Do you..?
![Page 24: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/24.jpg)
Nobody uses short keyids.Except Debian
![Page 25: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/25.jpg)
I don't always use short key ids
![Page 26: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/26.jpg)
And Ubuntu
![Page 27: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/27.jpg)
And pretty much everybody else
![Page 28: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/28.jpg)
on the Internet
![Page 29: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/29.jpg)
issue1579: GnuPG ignores the fingerprint
Also: v3 keys still accepted
![Page 30: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/30.jpg)
So you use the fingerprint instead of short key ids however, currently shipped gnupg version do not check for the fingerprint of the key to be imported
![Page 31: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/31.jpg)
Let's not use Keyservers
- leaks data - trivial MITM attacks (issue1579) - packet forgery - OCaml... srsly.
![Page 32: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/32.jpg)
http://bugs.gnupg.org/gnupg/issue1579
![Page 33: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/33.jpg)
![Page 34: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/34.jpg)
Let's define our target users. It's my mom!
![Page 35: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/35.jpg)
The Gold Standard:
![Page 36: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/36.jpg)
CAFF... PERL... srsly..?
![Page 37: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/37.jpg)
That's the pinnacle, the gold-standard of contemporary keysigning
![Page 38: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/38.jpg)
![Page 39: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/39.jpg)
![Page 40: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/40.jpg)
Fast forward 20 years
![Page 41: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/41.jpg)
We see the fire burning We need to do something about the situation
![Page 42: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/42.jpg)
Two decades later:
- mobile computing - WiFi - QRCodes
![Page 43: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/43.jpg)
Yet, our machines cannot talk to each other
![Page 44: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/44.jpg)
Introducing: GNOME Keysign
![Page 45: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/45.jpg)
Leveraging 2000s technologies
![Page 46: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/46.jpg)
Demo
![Page 47: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/47.jpg)
![Page 48: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/48.jpg)
GNOME Keysign
- Directly transfers keys - Sends encrypted email - No MTA needed
![Page 49: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/49.jpg)
https://wiki.gnome.org/GnomeKeysign
![Page 50: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/50.jpg)
Still waiting for patches
![Page 51: Modern KeysigningHow to Keysign: - Verify Fingerprint - Verify Identity - Obtain authentic copy of key - many traps to be avoided - Sign and send key - currently needs MTA](https://reader033.fdocuments.net/reader033/viewer/2022050114/5f4b1c97bbd0924985185965/html5/thumbnails/51.jpg)
Thank you