keysigning.org
Navigation
Home
About
SKS
Links
Events
LCA 2010
LCA 2009
OSDC 2008
LCA 2008
OSDC 2007
LCA 2007
LCA 2006
LCA 2005
OSDC 2004
Methods
Ad Hoc
Sassaman-Efficient
Sassaman-Projected

 

Sponsors
Internet Vision Technologies

About keysigning.org

What's this site all about?
Keysignings are useful, but they can be a pain to run. There are some guides around about how to do it and the general process is reasonably well known, but when a keysigning starts to get large it can become extremely time consuming to manage. The process of collecting public keys, generating a keyring, creating the keylist, and distributing the procedure to the participants can be very painful. There are some scripts around to help streamline things but they only provide part of the answer, not a complete solution.

This site aims to solve that problem by providing a centralised location and tools to manage keysignings, and a well documented and carefully reviewed process.

How do I add my event to this site?
In time I'm expecting to have a way for event organisers to log in and create new event profiles themselves, but for now I'm adding events to the system manually. If you'd like to add your event to this site just drop me a brief email and we'll set it up.

Is it safe to entrust my keysigning party to this site?
If you're serious about security that's a very good question to ask. If you're not at least a little paranoid you shouldn't be running a keysigning!

The first thing you have to consider is the function this site performs. If you carefully examine the process used to manage keysignings, you'll notice that at no point does this site require access to private information. All it does is act as a collection point for public keys, generate public keyrings and keylists, send out notifications, and graph the results.

Then you have to consider possible attack vectors. The objective of an attacker would almost certainly be to subvert the web of trust by having party participants sign a substitute key in place of a real key. Other than a basic DOS attack, that would have to be the #1 potential attack vector against this site. But examining our event management process, you'll see even that approach would be useless because event participants individually check their own key fingerprints against the keylist. At that point any substituted key would become immediately obvious: as long as participants check their own signature in the keylist, there's nothing that even *we* could do to subvert it, let alone an external attacker.

Which brings up the next point: you have to consider the trustworthiness of the people running this site. Maybe it was set up purely as a scam. If you're even a little bit paranoid you have to consider such things. However, I feel my standing in the FOSS community should count for something here. Google me, ask around, or send me an email and I'll send a signed reply, whatever: Jonathan Oxer (jon@keysigning.org, jon@oxer.com.au, jon@debian.org). I'm not hard to find.

Finally, it comes down to your decision: given the disclosure of this site and your understanding of our event management process and PKE in general, do you feel comfortable using this site to manage your event? Only you can decide.

Copyright 2004-2009 Jonathan Oxer (jon@oxer.com.au). Bandwidth donated by Internet Vision Technologies.