[uds-announce] Keysigning party UDS-Q - Keyring and printouts available

Geoffrey Thomas geofft at ldpreload.com
Fri May 11 00:09:31 UTC 2012


On Thu, 10 May 2012, Iain Lane wrote:

>> Alternatively, should we be verifying our fingerprint in the keyring
>> right now, and can we have a reading of the SHA-1 sum of the keyring
>> in addition to the text file?
>
> It's not so reliable to do this, since there are enough places in a GPG
> keyring (and a bz2 file) that arbitrary data can be stuffed in order to
> generate a collision if someone so desired.
>
> If everyone verifies their full fingerprint in the text file is correct
> and also makes sure to verify this when signing then we only need to
> read the checksums of the file. It also cuts down on the time that the
> KSP takes.

Good point. Since Asheesh is, as feared, generating a collision on my key 
as we speak, I'd like to ask everyone who will be at the keysigning to 
verify their fingerprints against this file and note its sha256sum 
(eec6e6470807c4a4d4065d1597f4e184982f6702e63ce387e5c920bf71db0188):

https://ldpreload.com/p/ksp-quantal.txt

This was generated with bunzip2 | gpg | gpg --with-fingerprint on the 
keyring Marc posted. I will read out the sha256sum of this file -- you can 
either write down the sha256sum right now on your keysigning sheet, or 
verify it against this email on your phone or somesuch. (This avoids 
needing to print out another verification sheet, since Marc's work just 
fine for identity verification.) If we all agree on the sha256sum and that 
it has correct fingerprints, you can then download the file from my web 
server at your leisure and have everyone's verified e fingerprint.

Thanks (and especially thanks to Marc for organizing this),
-- 
Geoffrey Thomas
http://ldpreload.com
geofft at ldpreload.com



More information about the uds-announce mailing list