 Okay, hello and welcome to probably the most boring but some house for some reason quite anticipated session of the continuous key signing party introduction. So if it's about the party to be good, I hope, I'll just give some details as to what we are doing and why we're doing it because I know there's always some new people but I expect this to be quite short, right? So we're here to try to strengthen the web of trust. The web of trust is a construct that will show some pictures of it, oh this is better, yes. Okay, it's a construct we have in Debian that gives coherence to who we are socially but technically as well and different parts of Debian required to interact with us. Mainly, well, I'm here, I took this position because I'm part of the keyring main, the people responsible for the keyring. I don't see Jonathan, that's Jonathan, they're in the middle. We are the keyring maintenance team so we are responsible for holding, for saying which keys are part of the keyring. That doesn't mean that we trust you, only that we check that you comply with our base requirements. The information from the keys is also used by the front desk. That's the people that handle all the processes and all the transitions between states of individuals in their relationship with the Debian project. And well, the Debian infrastructure, several foreign computers, require for different actions for you to have a key in one of the active keyrings. So if you are a Debian developer, your key is one of the keyrings, Debian maintainer on another keyring, Debian developer non-uploading on a third keyring. Other keyrings exist but they do not have an active role. When we could talk, and if there's interest, we will talk more about what is a web of trust, a curated web of trust, what is a strong set, what is the connected set. There are many things related to this, but this is just a family photo. I would like to show who we are. This is the photo, not a new one, but I haven't created a new one. This is the photo of the Debian developer's keyring, one and a half years ago, after we did some major adjustments. And well, it shows the signature edges, each edge, each line is a signature. And basically it shows how new or how old is a trust among the nodes that are the people. And this is the photo of the keyring we are using for this particular key sign. Of course, this just looks like a black mess, like a black tangled thing. But the important thing here is that you find who you are and who you are connected to. I prepared the active link, I prepared this, so each of you can find yourselves, this is me for example, and you can find for example here who I am connected to. I will go back to this in a minute. This should be useful to know what the next things in this signing party, what the next steps for you is. So before going further, have you all got this? Have you all got your lucky number? Do you all agree with it? Of course this is not enough because it's very easy to cheat. If I just do this, I mean the reason that I'm showing this is that we have to check these number matches for all of us. So we're going to do a group reading of this thing. Because, well, if your key was sent to Anibal who organized this key signing party, your key should be in this file that I got, the ksp-dc17.txt. And I want to ensure this file is the same for each one of us, to make sure that we all have exactly the same file. In case somebody is not familiar with what SHA-256 does, SHA-256 is a hashed algorithm that basically maps anything to a string of this size, 256 bits, and makes it extremely unlikely to find something similar. So even if you have a very small modification in your file, the hash, the number yielded by your SHA-256 from your file will be wildly different than this one. It's extremely unlikely you will have something as foamy as I did here, changing just to digits. So I will ask people to start reading this from your copies, not from mine. Because I know what the numbers are, but we should all check this from either your computer or your printed page where you already wrote this down. So it would be nice to have two people read it at once, but of course, this is very prone to timing errors. But if we start here, each one reads one digit or letter from their copy, we should all verify it's the same one. Six, one, please continue this way. Six, one, who goes next? Next, please go on. Need the audience to get engaged. Nine, somebody say nine? Sorry? Louder. Okay, I will repeat what was said until now. You might just ask for volunteers to approach the microphones, and in that place people who want to... Right, and we don't want everybody to say just one digit. So yeah, some people please more than three or four approach the microphones, and maybe four digits each. Six, one, F, F, C, nine, one. Five, two, nine, nine. One, B, F, seven. B, A, B, F. Oh, okay, perfect. It had a chorus effect on the computer. D, A, five, three. Three, eight, zero, D. Two, six, eight, E. Four, one, nine, five. Zero, two, zero, one. Five, F, B, D. Nine, seven, three. F, seven, two, eight. F, five, D, C. E, eight, eight, nine, seven, two, five, two. Thank you very much. Did everybody check this? Okay, for those of you who are not into this, the thing is we want to be sure that when we check identities, I will explain that as a next step. We are already, all of us are checking the same file that contains similar strings for each of us. That, because this identification is the closest, the closest we have to a verification of identity in the Davia project. So, who should I cross sign with? Well, this picture I sent you, this shows my key in the center. Of course, each of your keys in the center. And it shows the links with people you have already cross-signed or maybe say this one. This one only has one signature. So, I could check here, for example. Here, I have signed Deven Vansovsky, but he hasn't signed mine. So, I can approach him and ask him, well, let's redo the cross-signing. Here, it's the opposite way around. Valerio Brito has signed me, but I didn't sign his key. So, I should go to him, verify identity, and sign his key again. But it's more important if I approach people whose identity I trust, say, I know who and whom I praise, but I haven't cross-signed with him. So, I should approach him and exchange signatures. So, if somebody is my friend, I have not cross-signed, I trust his identity, I should do a cross-signing. If another person is many hops away from me, say, we can see this shape here of the key ring, where it has spikes and people far away, who is this person? If another person is on the far edge, Simon McBinney should be signed by me, because he's quite far. So, if I cross-sign with him, it will make the whole set more coherent. Or if somebody is isolated or weakly connected, say, Afif El-Grawin, Willem Blou, etc., people that are not part of the main blob, we should get them in. They are joining the key-signing party because they want to get in the key ring. Of course, we have to check who they claim to be. If you are one of those people that are not strongly connected or are not connected, please do not doubt and contact us, talk to as many of us as possible, and then you can get inside the strong set. We don't need everybody to be in the center. There's no need for everybody to have a very, very high rank of signatures. But it's good to have more than one, two, five signatures on. It's better to be more connected. Maybe you didn't get it very in time. Your key is not part of this file. What should you do? Well, of course, you're not in this map because I didn't know of you when I made this. But print some slips, having your name and your full key fingerprint. With those, you can check identities, exchange signatures with other people. If you have your slips and you trust this file, then you don't have to get slips from everybody whose key you cross-signed. Then what is trust? I'm talking about checking identity. What does checking identity mean? Some people trust government issues. Issued IDs. I can tell you from this moment, I don't have my passport on me. I will not bring my passport to DevConf. I have other credentials if you need them or other ID cards from different actors. But I don't care too much about them. Many people trust government issues IDs. This is a personal thing. Each person should put their trust where they trust. I prefer to trust the person. So, for example, if I just met somebody, I will not sign you a problem this year unless we have some time together and I can rely on getting to know you or recognizing you later on. But again, the guidelines depend on each person. Your scheme. How do you validate the person that's in front of you? How do you validate? Why do you trust somebody to be the person who is claiming to be? We are asserting the identity of people. And it's a serious thing. It's something that we should take seriously. But there's no one scheme to do it. Every scheme you propose is probably valid. So, I guess we still have some minutes in case somebody wants to ask or comment or whatever. But that's it for me. That's the introduction. I will make sure to put a copy of the Shah. We read together a pasted on the front desk wall or something like that because that's a number we want to be able to refer to, right? So, please, if somebody has anything to ask, please do. Let's start mingling socially and enjoy your stay here at Montreal. Yeah, just one little question. So, you were talking about the age of sign signatures in the beginning. Does it matter which key I sign if I take the version you'd have in the key ring? Or a version that is two years old and has lots of, lots less signatures? Or the other way around, I'm still behind of signing my Cape Town key signing set. Sorry, everyone. Can I sign the current keys as they exist today or should I refrain to an older version? Okay, I made this graphite show with the keys as they were uploaded to the public key servers two or three days ago. So, if you got more signatures, they would be reflected there. If you didn't, don't worry. This is a picture for this year's key ring. If you call it a key ring, I mean, this year's set of keys. I'm mapping it to something that resembles a key ring, right? It's the same basic key identification for a person who you exchanged signatures with last year or this one. Maybe this year they will have more signatures on it, but you're signing the identity. You're not signing the whole of the file, just the identities. Of course, if from last year to this year I changed my key, I migrated my main key, well, I will be a different person. So, again, enjoy. What is the first step for somebody who wants to prepare for a future key signing? Somebody who has not yet used a GNPG. Well, to learn how to use GNPG to create a private key. To see how they will store, how they will protect their private key. I mean, to play a bit with it. That would be the first step. Okay, thank you.