Blog by Sumana Harihareswara, Changeset founder
Fisher-Price's My First Keysigning
Hi, reader. I wrote this in 2009 and it's now more than five years old. So it may be very out of date; the world, and I, have changed a lot since I wrote it! I'm keeping this up for historical archive purposes, but the me of today may 100% disagree with what I said then. I rarely edit posts after publishing them, but if I do, I usually leave a note in italics to mark the edit and the reason. If this post is particularly offensive or breaches someone's privacy, please contact me.
Last night, at Biella's suggestion, I visited the Pacific Standard. Oh the homesickness! They have a UC Berkeley alumnus decal on the door, and a Moe's sticker on the rear wall, above a pedestal holding an Oxford English Dictionary.
I went for a Debian event, specifically a keysigning. Now this is ordinarily the point where my sister's eyes would glaze over and she'd skip the rest of the entry, and then she'd miss out on the part where I reveal my vulnerabilities, share my plans for work, children, and spiritual growth, and describe the secrets of consciousness and the world to come. Which is sad, really.
A keysigning is part of a way to solve the problem: when you get an email, how do you know it's from the person it says it's from? This is especially important if we want to be able to, say, sign contracts, flirt with cute guys, or gossip without fear that it's an impostor on the other side of the conversation. Not to mention -- wouldn't it be great if, even if someone else saw your email, they couldn't read it unless you wanted them to? I'm of course simplifying horribly, but public-key cryptography and authentication is a way for people to make their communications more secure. (Corrections in the comments in 3...2....)
And a part of that is matching up people with their "keys," verifying that a certain key belongs to a certain person. We usually do that in person, as Zack explains:
This is a process not unlike notarization. If you sign someone's PGP key it means that you met the person whose key it is, face to face, and checked that (a) they are who they claim to be, (b) that really is their key. Assuming that you've never met the person off the net before, part (a) involves looking at government-issued ID; I saw a lot of passports.
I also saw a lot of passports last night; I don't think I'd ever seen a Mexican passport before. I was meeting nearly everyone for the first time, and found myself making small talk based on the visas and stamps in their passports. "Oh, you have the same Indian visa I do!" I have the feeling I met some rather important people and didn't know it. Soon I'll be in their web of trust and perhaps some cool new cabal will open up to me.
10 May 2009, 0:58 a.m.