Alex Pennace
July 30, 2009

Web of Trust Activity

I participate in the PGP web-of-trust, which is basically modeled as a collection of assertions about key ownership. If Alice knows Bob, Bob can get his PGP key signed by Alice. If Charlie wants to communicate with Bob, he can use Alice's certification to confirm that the key he is using to communicate with Bob is really Bob's key, and not someone else's. The current global web-of-trust is essentially a scaled up version of that scenario. For most users, this global web-of-trust is useless - it is simply a collection of assertions of unknown trustworthyness. Most users, through their PGP program, manage a small subset of this web-of-trust, wherein they can confirm that a given key belongs to someone by leap-frogging through a chain of certificates, starting with the user's certificates. In many PGP programs, the degree of trust assigned to each hop on a chain can be customized depending on how much that user trusts that key owner to properly sign keys. This page covers two aspects of my PGP web-of-trust activity: The keys I have directly signed, and the keys I do not trust to sign other keys.

PGP public key signatures creation

September 27, 2006

On September 27, 2006 (GMT-4), I signed 15 PGP keys. The identity of each keyholder was confirmed at a Boston Linux & Unix User Group keysigning event held on September 20, 2006. The one week delay was due to being busy.

Each keyholder verified their fingerprint was correct, and provided proof of identity (Massachusetts driver's license or passport). Each key was retrieved from pgp.mit.edu, the fingerprint verified as correct, the key signed and the signed key was sent to the keyholder.

The following keys have been signed:

Key ID Fingerprint
D5C7B5D9 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99 *
70DAC773 14F6 BBEB 1887 2D4A 2C30 F554 B2C0 ABE5 70DA C773 #
992A4B3F 0EC8 B0E3 052D FC4C 208F 76EB FA92 0973 992A 4B3F
C5061EA9 053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9 *
6CC99823 0EB0 E35D 14A6 10E9 1A78 76F0 56CE 179C 6CC9 9823
30BDB814 73E3 6EAF EC29 29A3 94F9 6C78 F427 0FE8 30BD B814
27A2880C 45B8 9C5E EAD6 222F 0B2C 6601 5EDC 6D8C 27A2 880C #
86C77C44 9D5F 97B4 03D3 8A36 B664 A729 7DF7 D6BA 86C7 7C44 *#
4A73884C A273 4F57 58C0 7FE8 838D 4F87 AEEB EC18 4A73 884C
302A3876 0A86 FC80 20B6 CDA3 B48D 4875 9EDD 2FD3 302A 3876
2A8247C6 7CAD 75BB 4102 C2A9 EA83 B95F 907C E198 2A82 47C6 #
DCAE4DB1 87B8 1519 1B13 4DBE A644 D0CB 413C A1A4 DCAE 4DB1
92987FBD 72F8 71AD 5804 81D1 4C84 CADC 08B7 79A5 9298 7FBD #
D791EB80 694A 40AF A7E1 D20C F3ED FE44 24D2 9230 D791 EB80
87612973 1012 5236 9DDF 99CD EDF3 680C A14E 82A8 8761 2973

Key ID	Fingerprint
D5C7B5D9	72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99	*
70DAC773	14F6 BBEB 1887 2D4A 2C30 F554 B2C0 ABE5 70DA C773	#
992A4B3F	0EC8 B0E3 052D FC4C 208F 76EB FA92 0973 992A 4B3F
C5061EA9	053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9	*
6CC99823	0EB0 E35D 14A6 10E9 1A78 76F0 56CE 179C 6CC9 9823
30BDB814	73E3 6EAF EC29 29A3 94F9 6C78 F427 0FE8 30BD B814
27A2880C	45B8 9C5E EAD6 222F 0B2C 6601 5EDC 6D8C 27A2 880C	#
86C77C44	9D5F 97B4 03D3 8A36 B664 A729 7DF7 D6BA 86C7 7C44	*#
4A73884C	A273 4F57 58C0 7FE8 838D 4F87 AEEB EC18 4A73 884C
302A3876	0A86 FC80 20B6 CDA3 B48D 4875 9EDD 2FD3 302A 3876
2A8247C6	7CAD 75BB 4102 C2A9 EA83 B95F 907C E198 2A82 47C6	#
DCAE4DB1	87B8 1519 1B13 4DBE A644 D0CB 413C A1A4 DCAE 4DB1
92987FBD	72F8 71AD 5804 81D1 4C84 CADC 08B7 79A5 9298 7FBD	#
D791EB80	694A 40AF A7E1 D20C F3ED FE44 24D2 9230 D791 EB80
87612973	1012 5236 9DDF 99CD EDF3 680C A14E 82A8 8761 2973

September 18, 2008

On September 18, 2008 (GMT-4), I signed X PGP keys. The identity of each keyholder was confirmed at a Boston Linux & Unix User Group keysigning event held on September 17, 2008.

Each keyholder verified their fingerprint was correct, and provided proof of identity (driver's license or passport). Each key was retrieved from a keyserver, the fingerprint verified as correct, the key signed and the signed key was sent to the keyholder.

The following keys have been signed:

Key ID Fingerprint
537C5846 3D1B 8377 A3C0 A5F2 ECBB CA3B 4607 4319 537C 5846
0907DD92 F183 B7C3 40EC 216F F3D2 9BA1 F020 7357 F414 952B
0DBF906D DD DC 88 AA 92 DC DD D5 BA 0A 6B 59 C1 65 AD 01
94468A04 9469 A4F1 D141 7F54 B696 E396 DB2E 75B4 9446 8A04
E0082B17 4C12 35A2 BE99 2139 3BA3 52E6 349C 49B2 E008 2B17
A9413B9F D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F
52ADF3CD 5AE8 97A7 A6E7 FDC2 3F00 245E D9E4 1681 52AD F3CD
9D7E8233 D18D 8D9B 4BAA CCFA 821C 082C 149C BC11 9D7E 8233
12DB6902 1D48 19D5 1469 D1F3 43A6 C0DC BA07 75ED 12DB 6902
5002DCF3 A56E 9374 E47A 2DD0 65AF 389A B7C9 B709 5002 DCF3
8C2E0411 9284 51B2 509E EBD9 19E7 B477 352C 3512 8C2E 0411
F9ED4946 F6D1 9E78 9B15 CAEE 696F 4644 52EC E7BE F9ED 4946
AA95C349 6B0B DC44 18D7 2987 F82F F349 24D3 2BF9 AA95 C349

Key ID	Fingerprint
537C5846	3D1B 8377 A3C0 A5F2 ECBB CA3B 4607 4319 537C 5846
0907DD92	F183 B7C3 40EC 216F F3D2 9BA1 F020 7357 F414 952B
0DBF906D	DD DC 88 AA 92 DC DD D5 BA 0A 6B 59 C1 65 AD 01
94468A04	9469 A4F1 D141 7F54 B696 E396 DB2E 75B4 9446 8A04
E0082B17	4C12 35A2 BE99 2139 3BA3 52E6 349C 49B2 E008 2B17
A9413B9F	D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F
52ADF3CD	5AE8 97A7 A6E7 FDC2 3F00 245E D9E4 1681 52AD F3CD
9D7E8233	D18D 8D9B 4BAA CCFA 821C 082C 149C BC11 9D7E 8233
12DB6902	1D48 19D5 1469 D1F3 43A6 C0DC BA07 75ED 12DB 6902
5002DCF3	A56E 9374 E47A 2DD0 65AF 389A B7C9 B709 5002 DCF3
8C2E0411	9284 51B2 509E EBD9 19E7 B477 352C 3512 8C2E 0411
F9ED4946	F6D1 9E78 9B15 CAEE 696F 4644 52EC E7BE F9ED 4946
AA95C349	6B0B DC44 18D7 2987 F82F F349 24D3 2BF9 AA95 C349

Others' Questionable Key Signing Practices

Sometimes I come across a public key whose owner has signed other PGP public keys inappropriately (e.g. signing a public key belonging to a pseudonym).

Keys signing the keys for "Vagrant Cascadian"

The person whom PGP keys 13D61A99 and E3BF6C78 belong to identifies himself only by the psudonym "Vagrant Cascadian." Several persons have signed his or her key, but it is clear that none have checked this person's identity.

I first came across Cascadian on 2007-04-17, while going through messages on a Debian mailing list.

Anyone who has signed Cascadian's PGP key is not trustworthy. A few such people are already within my web of trust horizon because other trustworthy people signed their keys. Those individuals (using keys 1CF2D62A, 8F068012, AC583520, 64C90CEF, and 797EBFAB) have been marked as "never trust" in my GnuPG ownertrust file.