PGP Keysigning at SCALE 8x
From our guest blogger, Phil Dibowitz:
I've been hosting PGP Keysigning parties for 7 or 8 years now. And as I prepare to host the SCALE 8X PGP Keysigning party, I thought - how can I make this better?
PGP Keysigning parties are non-trivial. In particular, big ones require planning ahead, significant time investment both during and after, coordination, and a lot of tedious effort on the part of all attendees. I thought: We can do this better!
So the question is - what are the big pain points? To me, they are:
- Sign-up/RSVP - Getting the information out about the event to the right people is tough. And if you do, they have to remember to get all the information together. And even if they do, they have to do it on-time. And even if they do, they have to find the instructions, and it's a different form or another person to email. Sheesh, all this just to sign up!
- A single party time - A single party is great for the people who can make it: it provides the most signatures in a short amount of time. But if you can't make it, chances are that you would not get any signatures. Exchanging fingerprints and information on the expo floor wasn't easy unless you were prepared with small cards or pieces of paper with all the right information.
- Time investment to sign keys - For even a medium size party, signing time can take an hour or more. That's a lot of valuable time!
So I spoke to others, did some thinking, and we've implemented a lot of changes to make this a much smoother and simpler process, while keeping it secure.
Sign-up/RSVP. How can we make signing up easy? How about if you do it at the same time you register for the conference itself? And what if all you had to do was copy and paste in your key fingerprint? Well, that is all you have to do!
Verify Anywhere. Anyone who submits a fingerprint with their registration will have the fingerprint printed on the back of their badge and a PGP symbol (or sticker) on the front of their badge. Once you have verified that fingerprint is correct, you don't have to carry around a copy of your fingerprint - it's already on your badge! Want to verify someone's key? They can show you their badge! Someone wants to verify your key? Show them your badge!
Further, we'll have the PGP worksheets available starting Saturday, so that if you can't make the party, you can check people off easily as you find them.
And since the front of badges will have a PGP symbol on them, it'll be easy to spot people who want to do keysigning, verify ID and fingerprints and be on your way - at any time during the conference!
Of course, we still hope you'll all show up at the party - but if you can't - you can still do some verifications.
Time investment to sign keys. This is something I've been working on for a while. At SCALE 7X an alpha version of my PIUS software was around, but it's now a stable release. PIUS makes the process of (1) verifying email address, (2) signing each UID on each key individually, and (3) encrypt-emailing each signature to the right address a snap! It'll prompt you once for each fingerprint and allow you to say yes or no, and then it'll do all the rest of the work for you.
I'm sure there are many more improvements that can be made, but we hope that this year's improvements will make it easier for everyone to participate.
It's worth noting many of these ideas are also being tried at other conferences and are not necessarily unique to SCALE. Thanks to the PGP, open source, and conference communities, Phil Pennock, and all of the SCALE staff for their ideas and help.
I'm thrilled to be heading back out to LA for the best open source conference in the world and I hope to see lots of you at the keysigning party!
For more information, see here.