After years of using caff for my PGP key-signing needs I finally come across the answer to a question I’ve had since the beginning. I document it here so that I may keep my sanity next time I go searching for the information.
My question was “how do you make a specific certification in a signature?”. As defined in RFC 1991, section 6.2.1, the four types of certifications are:
<10> - public key packet and user ID packet, generic certification ("I think this key was created by this user, but I won't say how sure I am") <11> - public key packet and user ID packet, persona certification ("This key was created by someone who has told me that he is this user") (#) <12> - public key packet and user ID packet, casual certification ("This key was created by someone who I believe, after casual verification, to be this user") (#) <13> - public key packet and user ID packet, positive certification ("This key was created by someone who I believe, after heavy-duty identification such as picture ID, to be this user") (#)
Generally speaking, the default settings in caff only provide the first level “generic” certification. Tonight I found information specific to ~/.caff/gnupghome/gpg.conf. This file can contain, as far as I know, can contain three lines:
ask-cert-level <- works in lieu of the default-cert-level to ask you on each signature
I can’t find any official information on this file as the man pages are a little slim on details. That said, if you use caff you should definitely create this file and populate it with the above at a minimum with the exception of the default-cert-level. The default-cert-level should be whatever you feel comfortable setting this as. My default is “2” for key signing parties (after I’ve inspected an “official” identification card and/or passport). The other two settings are important as they provide assurances of using a decent SHA-2 hash instead of the default
I, unfortunately, will not be in attendance to join this event but I did want help advertise this event. While the Fedora Web of Trust (WoT) is getting its act together you can start participating immediately! FUDcon Pune is hosting a keysigning event on 05 November 2011. If you are available please go and get your key signed and sign other people’s keys so the trust can build.
Hope everyone has a great time in Pune!
In the continuing saga of the Fedora Web of Trust (WoT) project I’ve started a small website in which to disseminate information on this project. More information will be posted there (as there isn’t much there now). I’ll post here when there are updates and such.
I was hoping to wait a bit before announcing my project but I’m having problems getting my ducks in a row. Because of this I’m reaching out to the community for help.
I’m hoping to bring the Fedora Project Web of Trust (WoT) together to make a large WoT cloud that links all Fedora contributors together. I have all the public keys I can find, just over 280 keys, that contain a @fedoraproject.org email address. I want to analyze the connections (note that the link shows the links between the keys uploaded to the server and not all the keys that are available at other key servers) between these keys (signatures) to determine the number of links between all and the percentage of signatures that exist compare to the number possible. The tools that I’ve found all seem to need a keyserver to communicate with and I could use the tools in place with existing key servers but I find the limitations given on those systems to be too… limiting.. No problem, I thought, I’ll just install all the tools locally and I can churn as much data whenever I want to myself.
So here’s what I’d like to do:
- Collect “before” data on all PGP/GnuPG (GPG) keys for @fedoraproject.org email addresses. Done
- Setup a keyserver to be used for working with these keys for statistical analysis.
- Release before data to the world.
- Help get contributors to setup GnuPG keys and submit their public key to a key server.
- Help others host key signing parties at Fedora events.
- Compare the results of the project at the end of 2012.
- Release after data to the world.
I’ve already started down this path but, unfortunately, I’ve yet to get the one keyserver in the Fedora repositories, SKS, to work. The software installs fine but doesn’t really come with much documentation on getting it setup and running. Anyone care to help me out with this I’d be appreciative.
Sparks’ Linux Journal by Eric “Sparks” Christensen is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Permissions beyond the scope of this license may be available at https://sparkslinux.wordpress.com/license/.