NYU's PGP Key-Signing Seminar - a critique
I am writing regarding the PGP Seminar to be held on the 27th of March.
Your informative session is laudible. And, I would like to take full
advantage of the key-signing session to follow. However, there is a
certain concern which it would be prudent to address first.
http://www.nyu.edu/pages/advocacy/awareness/pgp.html provides instructions
for the session, which state:
"8. At the seminar Tim and Ilya will confirm the identity of all
participants and the participants will identify their own keys.
9. After the seminar Ilya will e-mail all the participants the
keyring with all the keys, along with the instructions on how
to sign them."
This conflicts with the guidelines for hosting pgp key signing sessions
as presented in the alt.security.pgp FAQ (a relevant excerpt is attached
to this message). The FAQ states:
"6. Each person securely obtains their own fingerprint, and after
being vouched for, they then read out their fingerprint out
loud so everyone can verify it on the printout they have."
~~~~~~~~
The concern I have is that this discrepancy undermines the web of trust
model for PGP. The participants of the NYU session will not have the
opportunity for verifying the identity of the owners of the keys that
they are signing. They must rely on a central authority ("Tim and Ilya").
I realize that this may be a simpler, and perhaps a more convenient method
of conducting a key-signing session, perhaps ideally suited to a session
aimed at novices. However, I feel that the security provided by PGP is
thereby undermined. We must not forget that security is the whole reason
that even the novices at your session are using PGP for in the first place.
I hope this issue can be addressed before the session begins.
............................................................................
. Sergey Goldgaber
On Fri, 21 Mar 1997, Sergey Goldgaber wrote:
I am writing regarding the PGP Seminar to be held on the 27th of March. Your informative session is laudible. And, I would like to take full advantage of the key-signing session to follow. However, there is a certain concern which it would be prudent to address first.
Dear Sergey, You are, of course, correct about this -- I knew I missed something when I was making up the instructions (I had to do it in 3 minutes). I've made the correction. Ilya _______________________________________________________________________ Ilya Slavin slavin@acf2.nyu.edu webmaster@cims.nyu.edu Home Page is at http://www.nyu.edu/pages/advocacy/officers/slavin/ PGP Key fingerprint = 41 88 5D 47 AB 5A 01 D7 7F 89 6D 8E 77 0A 28 C5 'finger' slavin@acf2.nyu.edu to get my public key _______________________________________________________________________
On Fri, 21 Mar 1997, you wrote:
-> On Fri, 21 Mar 1997, Sergey Goldgaber wrote:
->
-> > I am writing regarding the PGP Seminar to be held on the 27th of March.
-> > Your informative session is laudible. And, I would like to take full
-> > advantage of the key-signing session to follow. However, there is a
-> > certain concern which it would be prudent to address first.
->
-> Dear Sergey,
->
-> You are, of course, correct about this -- I knew I missed
-> something when I was making up the instructions (I had to do it in 3
-> minutes). I've made the correction.
Thank you for replying so promptly to my query. I am grateful for your
sensitivity to the issues involved.
............................................................................
. Sergey Goldgaber
participants (2)
-
Ilya Slavin
-
Sergey Goldgaber