Re: [tlug] Web of Trust Party

[Josh Glover <jmglov@example.com>]

On 9/19/05, Stephen J. Turnbull <stephen@example.com> wrote:

> A better idea would be to have a standalone event (possibly as the
> first "presentation" at a technical meeting), and at that time work
> out some procedures for "lightweight" signing.

CAcert has "lightweight" signing built right into their web of trust
protocol: each person who wishes to be assured simply prints as many
copies of the assurance form as he thinks he needs, then he presents
his photo IDs to the assurer. Both parties sign the sheet, and the
assurer hangs onto it. Next time the assurer logs into CAcert, he
issues the points as indicated by the printed and signed forms he has.
Completely offline.

The way to do this for GPG / PGP public keys is similar. People who
want their key signed make some "keyslips", which list the ID and
fingerprint of his key. At the key-signing event, he presents an ID
along with the keyslip to the person who will be signing his key. That
person, when satisfied of his identity, takes the keyslip. The idea is
that you as a signer do not take a keyslip unless you have first
verified the ID of the person giving it to you.

So all the ID verification step of the assuring / signing (which is
the only step that really requires a face-to-face meeting anyway) can
be done with no computers involved. Therefore, the only danger imposed
by nomikai conditions would be the potential inebriation of the
assurer! ;)

-Josh