 And so, to avoid the insanity of a gigantic key signing and also to include more of the social aspects. So you can meet new people as well that you may not have signed keys with. Everybody who's participating in the key signing has on their badge a key which indicates their number in the file. It doesn't, you shouldn't use it as an identification of that particular person. It's just a visual indicator to you that they are a person whose key you might be interested in signing. When you see them at meals, when you see them in the hack lab, or when you pass them in the halls. So anybody who has that, introduce yourself, talk about each other, show your documents if they have them. If you don't have your document on you, that's fine, you can arrange to meet again. Then you can make sure that they've verified their fingerprint in the file. They should make sure that you've verified your fingerprint in the file. They should identify your documents at their leisure. Go feel free if you aren't familiar with the country's passport. Go online, view examples of what their passport looks like. You can always come back and see their documents multiple times. So take as long as you need to be sure of somebody's identity as sure as you can be. And get to know each other beyond just that. Can I just point out that if you're not sure, don't sign it. That may sound very obvious, but I've been told off in the past that it's rude for me not to sign keys at a key signing. I might not sign your key because I've only met you once, or because I don't think you look sufficiently like your passport. It's not necessarily a personal reflection on you. I won't take it as a personal reflection if people don't sign my key because they can't validate me well enough. It's better to be sure and not sign than unsure and sign anyway. So if you're in any doubt, just don't sign the key. And if you want to explain to someone that's fine, and if you don't, I don't think you have to explain to someone why you won't sign their key or tell them. And don't take it personally if someone doesn't sign your key. We're trying to bootstrap a stronger web of trust given the larger keys that have been generated. So let's get this right. Just one question. How does it mean sure in this context? That's an interesting question. And I think that if you ask five people in this room, you'll get five different answers. If you're signing a key, you're trying to validate that you believe the person you've met holds the name on the key, holds the email address on the key, and is in control of the private part of the key. How far you want to go on that is largely a matter of personal preference, I suppose. I'm not really prepared to stand here and say you must do this, you must do that, or you must not do this, you must not do that. Well, as an example, when confronted with a foreign passport that you're not familiar with, what would you consider? So if it's a European passport, they're all fairly similar to me. I'm from Europe, I've seen many European passports, that's fine. If it's not a European passport or an identity card I don't recognize and I've only just met the person and not had any social direct with them, I won't sign it. I'll have to have met them on several separate occasions and have interacted with them and other people around as well as seeing their documents is the guideline I would go by. How about if it's the transnational republic? I will happily sign Martin's key any time he hands it to me, I know who he is, I've met him enough times. I think that's okay if you know the person, if you're not sure about the ID, don't sign it. If you're not sure about the person, they hand you some dodgy ID, don't sign it. If you've known the guy for five plus years and seen him interact with people and seen his real ID on other occasions, I'd sign it. I think that was an interesting experiment, it did show up a lot of our weaknesses. Question, how important it is to send a signature in encrypted message to the corresponding user ID? We use CAF. I think CAF is fine, so the idea about the, if you send a signature as an encrypted message to the recipient and don't upload it to a key server, you're proving that the person who controls that key also has access to the email address. That doesn't mean they're not sniffing the email address, it just means they can read email to that address. And you kind of hope that if someone sends you an encrypted message to your email address that you can't read, you email them back and go, that's not my key and you're relying on that a bit. But the whole idea about that is that signatures don't get uploaded for email addresses that don't work or can't be read by the person who controls the private part of the key. I see that there are probably less than 113 people and not everybody has the paper with them. So I guess if you meet someone who has not checked this fingerprint with his paper at this occasion here, you should make sure that you both have the same fingerprint on the paper by just comparing the papers because otherwise there's no connection between the information, I guess. But probably what it could do is to make a note of who is here on the paper. I mean I guess somebody who hasn't compared the sum needs to talk to a sufficient number of people and verify the sum with them to be confident that they are dealing with the same data set that we are. Obviously they can talk to Annabelle and me but they should compare it with multiple people. So somebody who's not here, ask them if they weren't here and before they sign anybody's key, they can do all the identification and fingerprint checking but they should check with every single person or a large number of people the Shaw sum that they have with the one that you have. So ask people who weren't here about that to check it as well. Basically it's enough if the sum on your document matches those on the documents of the people you want to sign because actually they are bringing your fingerprint, their fingerprint to you for signing and so they have to make sure you have the same fingerprint on your list as they do. And they can either give you a direct, their fingerprint directly or say okay you have to correct some on your document and so the fingerprint on the document is actually mine. One more question, not regarding fingerprints or checksums. I'm confused about the date of the key signing party now. So it was scheduled for the 29th of July and I'm quite happy to hear that it seems to be not then because I'm not here anymore but when is it? So it's continuous. So you are now part of the beginning of the key signing? The key signing will continue? So there will be no more further gathering? Not in a large group, no. Okay. You will meet as you pass each other at meals or whatever. At least that's the idea. If it ends up that this isn't working, this is an experiment. This is the first time we've ever tried this. Thanks for mentioning that. That lowers the confusion. So if this ends up not working at all, then we will maybe reschedule a real traditional key signing. Hopefully it will work because this is I think a better way than the ways we've done it in the past. Is there a way or a recommended way how to participate if you're not on the list because I was too late, I was on vacation and I just got home after the deadline and I would like to participate. So what you can do is you can sign the keys of participants by getting this file, comparing the Shaw 256 sum to what you see up there, and having your own fingerprints printed out that you can give with your fingerprint your identifications like your key IDs on a little slip of paper to participants in the key signing party along with your ID. So that's how you would participate. And anybody who isn't on this list can do the same. Just a reminder, there's a small tool called GPG key to PS which is in the signing party package which can convert your key to PostScript so you have little slips of paper with the key on it. And CAF as well is in the signing party just in case that wasn't clear. Can I just comment that in my experience, absolutely it should be encouraged socially to have people who did not sign up participate in the key signing parties. However, it is very easy to very quickly DOS a signing party by having lots of people interrupting the flow of events to do keys like that. Right, yeah, that's up to everybody else. Participants, if you want to sign somebody's key like that, that's your decision. Anything else? We have more slides, sir. The owner of the key listed as number 81 has to cross out his key. So please make a note. He lost access to his hard drive. That might be a good segue to just make sure people only send signatures to people they actually meet and exchange things with. Can I sign everybody's key that's on this list? I will guarantee you that there are people on this list who are not here and you will have to find out who they are. And if they receive a signature on your key, they're not going to find your ability to exchange keys very trustworthy. Wouldn't it be useful to organize an event where people can, maybe on the 30s for those who don't have enough signatures can come and just say, I didn't think of doing it and I can catch up and get 10 more signatures? Yeah, that's probably a reasonable idea. I guess if it ends up later on being the case that people are having a hard time collecting signatures and then we can try to schedule something like that. It's probably worth scheduling something towards the end even just to see how well it worked. Okay. If it turns out that people haven't got signatures we can do a key signing of some sort and if not we can discuss whether or not it was effective and lessons for next year. That's never to Helsinki again. Yeah. One more question. How do you plan to evaluate if the experiment was good or not? We can pretty much guess by looking at how many signatures are exchanged. That's one measure. The other measure is how well were the signatures obtained and the quality of the stuff that was done in order to get the signatures and that's something that I don't really have any good ideas on how to measure them. But then they have to be uploaded during DEBCON? No, they don't because I can collect them at any time from now. I know what the state of the keys are now. Definitely not. If it's another failure we'll know during DEBCON but we won't know how successful it is. I have a question about the information. I read here on the website for the few people who insist on having a classic key signing party there will be one scheduled on DEBCON Day 6 Wednesday. Is that still true? That's another one's a key signing party like that. A few people would like to meet and have a classical key signing. I have a suggestion to make. If you want to find a large group of people willing to do key signing it's best to bring your lists during the day trip. There probably will be enough time, recreation time there and you can check a lot of people around there. So bring your list and your passports along. I mean that's an excellent way to spend the time doing a bus trip. I have a key signing on the bus that logistically is going to be fun. Any additional questions? About having a schedule sometime for having a key signing party it does not mean a traditional key signing party. It means sometime when everybody who is interested in key signing get all their papers, go to our room, approach the person who is interested in key signing and interchange passports ideas on whatever you want to. It does not mean the traditional key signing party. Because I mean I don't know you but I am not going to be carrying all of my papers and my ID. So if we have some time and I can go and say hello Don, can you sign my key, this is my passport and so on I think it's a good idea. Could you provide some fake passport to be able to misuse the quality of the signature of the people? I don't have any forged documents and it's probably illegal to wander around with good ones. No, this could be true. It depends on the country. In most countries if you don't try to use the passport officially... If you want to pay for my insurance and my legal counsel then we can talk but it starts at least 10 million dollars. Okay, it's expensive, I can afford that. We could just assume that every passport is fake. Okay, nothing to ask. Sorry, you can have a perfectly valid passport with an unrecognizable picture because the guy grew up and cut the beard and grew long hair and whatever. And you can have an expired passport where the guy is absolutely identical. Or the person, a guy, lady, whatever. He's an imposter, no. Today in front of the dining room there was some discussion about if Debian was intending at some point to define what does signing mean for the project? Is that in any way intended to be deal with? I don't think that's an answer that I or anybody here can come up with. Maybe in the second row here. Yeah, no. I don't think that's something that we're planning on discussing here or otherwise. We're just trying to get people to verify identities as vigorously and correctly as they can and are capable of doing to make the web of trust strong. There's an interesting tip that maybe not everyone knows. In the package signing party there is a script called GPG6 which takes the file that you download from Anibal and your key ring and it will annotate those keys that you have already signed. And that's useful to avoid bothering people if you've already signed their key. Anything else? I think we've already done that. Anything else? Beer? Beer? Okay. So start signing whenever and I guess we'll meet again. We'll schedule something if it's not already on the schedule.