[ncc-services-wg] Proposal for easing keysigning at meetings

[Phil Pennock <]

A little hallway conversation led to a concensus that NCC-Services is
the correct place to suggest this idea; it's a minimal-cost suggestion
for aiding crypto key-signing via the RIPE conference registration.

The main issue with exchanging crypto keys (eg PGP) is verifying that
all the information has been copied correctly and spending the actual
time to do it.

If the online registration form has an optional field to supply a key
fingerprint, then those who supply this will have their fingerprint
listed in the attendee list and shown on their registration badge
(optionally with keyid if not embedded in fingerprint).

Then, if you're interested in verifying keys at the level of "I've
talked to this person and someone has paid a few hundred euros for him
to attend a conference in his name" or greater trust, then you can
glance over the fingerprint on the badge, versus that on the list, and
just tick the item.

Then, later, working through the list you can just retrieve/sign/upload
those keys which you've ticked.

Benefits:
 * makes valid key-signing friendlier to the lazy and those without a
   surface to easily write on (or a PDA or ...)
 * so web of trust more likely to be established at RIPE meetings

Disadvantages:
 * minimal change to registration form, slightly longer printouts
 * it's not _entirely_ free, but it's once-off minimal development and
   probably some text in the booklets explaining the system (and why
   people shouldn't just sign every key on the list)

Does anyone think that this is a good idea, or a violently stupid idea?
Should RIPE be doing this?


(I actually proposed this at LISA a couple of years ago and the
 staff-member liked it and thought they'd try this at a USENIX Security
 conference, but I heard nothing more about it)
-- 
Phil Pennock,  Senior Systems Administrator,  Demon Internet Netherlands
NL Sales: +31 20 422 20 00      Thus Plc      NL Support: 0800 33 6666 8