On Wed, Dec 19, 2018 at 3:22 PM Steve McIntyre steve.mcintyre@linaro.org wrote:
On Wed, Dec 19, 2018 at 12:26:00PM +0100, Arnd Bergmann wrote:
- Make sure that you have Linaro business cards with your current
full key fingerprint on them. The fingerprint will look like "88AF CD20 6B16 1195 7187 F16B 60AB 47FF C909 5227" If you do not have Linaro business cards, or they do not have the fingerprint on them, order new business cards from [2] as Linaro employees, as described in CascadeGoCloud -> Company-Handbook -> Employee Information. For assignees and member engineers, follow your company procedures. [Question: we used to have Linaro business cards for assignees as well, could we bring that back?]
FTAOD: I assime you're not suggesting that business cards are ID! Before signing things, also check whatever ID you can.
I usually don't check ID when I sign keys from the people I closely work with, and I rarely sign keys of people I don't already know (and would likely check ID if there is any question about their identity).
Then during Connect, try to find those people you closely work with, as well as anyone new to the company, and exchange business cards. Make sure that the cards you hand out actually have the correct key printed on them if you are paranoid.
Once you get home, download the gpg keys from everyone you got cards from, check that the fingerprint matches, then sign and upload them. Note that you should not normally have your own master key on the laptop you travel with, so I assume this will have to be done afterwards.
There are ways to improve safety there with hardware tokens, encrypted filesystems etc.
For more paranoia:
It's a common thing to do to physically sign the cards you've received and verified (with a pen!). That will guard against people maybe trying to slip extra bogus cards into your pocket etc.
Debian people often (maybe mostly?) will prefer to send encrypted mail to each UID you present, using a tool like caff [1] to automate the process. That validates that you can also at least receive and decrypt mail sent to each address you're claiming to own.
Good suggestions, thanks!
Arnd