Alex Pennace
May 11, 2008

Web of Trust Activity

I use PGP (via GnuPG). Part of using PGP is working with the web of trust -- that a public key claiming to belong to John Doe really belongs to John Doe.

Determining the veracity of that claim is facilitated by analyzing PGP public key signatures. As a PGP user, I both create PGP public key signatures (sign keys), and determine the reliability of other PGP users' key signatures.

PGP public key signatures creation

September 27, 2006

On September 27, 2006 (GMT-4), I signed 15 PGP keys. The identity of each keyholder was confirmed at a Boston Linux & Unix User Group keysigning event held on September 20, 2006. The one week delay was due to being busy.

Each keyholder verified their fingerprint was correct, and provided proof of identity (Massachusetts driver's license or passport). Each key was retrieved from pgp.mit.edu, the fingerprint verified as correct, the key signed and the signed key was sent to the keyholder.

The following keys have been signed:

Key ID Fingerprint
D5C7B5D9 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99 *
70DAC773 14F6 BBEB 1887 2D4A 2C30 F554 B2C0 ABE5 70DA C773 #
992A4B3F 0EC8 B0E3 052D FC4C 208F 76EB FA92 0973 992A 4B3F
C5061EA9 053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9 *
6CC99823 0EB0 E35D 14A6 10E9 1A78 76F0 56CE 179C 6CC9 9823
30BDB814 73E3 6EAF EC29 29A3 94F9 6C78 F427 0FE8 30BD B814
27A2880C 45B8 9C5E EAD6 222F 0B2C 6601 5EDC 6D8C 27A2 880C #
86C77C44 9D5F 97B4 03D3 8A36 B664 A729 7DF7 D6BA 86C7 7C44 *#
4A73884C A273 4F57 58C0 7FE8 838D 4F87 AEEB EC18 4A73 884C
302A3876 0A86 FC80 20B6 CDA3 B48D 4875 9EDD 2FD3 302A 3876
2A8247C6 7CAD 75BB 4102 C2A9 EA83 B95F 907C E198 2A82 47C6 #
DCAE4DB1 87B8 1519 1B13 4DBE A644 D0CB 413C A1A4 DCAE 4DB1
92987FBD 72F8 71AD 5804 81D1 4C84 CADC 08B7 79A5 9298 7FBD #
D791EB80 694A 40AF A7E1 D20C F3ED FE44 24D2 9230 D791 EB80
87612973 1012 5236 9DDF 99CD EDF3 680C A14E 82A8 8761 2973

Key ID	Fingerprint
D5C7B5D9	72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99	*
70DAC773	14F6 BBEB 1887 2D4A 2C30 F554 B2C0 ABE5 70DA C773	#
992A4B3F	0EC8 B0E3 052D FC4C 208F 76EB FA92 0973 992A 4B3F
C5061EA9	053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9	*
6CC99823	0EB0 E35D 14A6 10E9 1A78 76F0 56CE 179C 6CC9 9823
30BDB814	73E3 6EAF EC29 29A3 94F9 6C78 F427 0FE8 30BD B814
27A2880C	45B8 9C5E EAD6 222F 0B2C 6601 5EDC 6D8C 27A2 880C	#
86C77C44	9D5F 97B4 03D3 8A36 B664 A729 7DF7 D6BA 86C7 7C44	*#
4A73884C	A273 4F57 58C0 7FE8 838D 4F87 AEEB EC18 4A73 884C
302A3876	0A86 FC80 20B6 CDA3 B48D 4875 9EDD 2FD3 302A 3876
2A8247C6	7CAD 75BB 4102 C2A9 EA83 B95F 907C E198 2A82 47C6	#
DCAE4DB1	87B8 1519 1B13 4DBE A644 D0CB 413C A1A4 DCAE 4DB1
92987FBD	72F8 71AD 5804 81D1 4C84 CADC 08B7 79A5 9298 7FBD	#
D791EB80	694A 40AF A7E1 D20C F3ED FE44 24D2 9230 D791 EB80
87612973	1012 5236 9DDF 99CD EDF3 680C A14E 82A8 8761 2973

Other PGP users' key signatures

Among the public keys I signed, I can set a level of trust that GnuPG uses to determine if that user creates reliable PGP public key signatures. Upon setting these trust levels, additional keys are then validated (i.e. although I didn't sign those public keys, I trust one or more of the signers of those public keys) and the process repeats. Sometimes I come across a public key whose owner has signed other PGP public keys inappropriately (e.g. signing a public key belonging to a pseudonym). Here is one case:

"Vagrant Cascadian"

The person whom PGP key 13D61A99 belongs to identifies himself only by the psudonym "Vagrant Cascadian." Several persons have signed his or her key, but it is clear that none have checked this person's identity.

I first came across Cascadian on 2007-04-17, while going through messages on a Debian mailing list.

Anyone who has signed Cascadian's PGP key is not trustworthy. A few such people are already within my web of trust horizon because other trustworthy people signed their keys. Those individuals (using keys 1CF2D62A, 8F068012, AC583520, and 64C90CEF) have been marked as "never trust" in my GnuPG ownertrust file.