[Kleopatra] Key signing mode
Open, WishlistPublic


Kleopatra should have a keysign party mode.

My idea would be:
A list of keys could be imported. The keys could be imported as keys or just as fingerprints or (better) as keys.

Kleo would then show a list of those keys and a hashsum of said keys. The hashsum could them be compared between all people sharing the list of keys.

A user could then select all his keys to sign the keylist with. The keys would then be uploaded. A bulk keysign.

aheinecke triaged this task as Wishlist priority.

More details:

The keys would be submitted to some person. That person would then import all keys in his keyring.
Kleo would offer something like "preprare keysigning" where the user could multiselect all keys into a new view.
That view would be exportable and create a new file. MIME type x-application-keysigning
with the subtypes x-application-pgp-keys

that file would then be the offical key signing file. Participants could look at it because the application/pgp-keys subtype would be easily parsable by anything.

A hash over the application-pgp-keys mime part would be everything the participants have to agree on.

Then Kleo could offer to sign all keys in that blob.

And hurray!

That does not have super high priority for me as I don't think that the Web of Trust or Keysigning has any future except for us nerds :-P

sitter added a subscriber: sitter.Aug 20 2018, 9:16 AM

There is already a format of key lists used by debian to batch import, authenticate and validate via checksums: https://www.mankier.com/1/gpgparticipants It may make sense to follow an existing format instead of making a new one.

The basic idea is that during the signing party everyone validates their own key AND the checksum. This way the attendees know that the digital file is indeed the correct file and may use the digital data for import into other tools for the signing. Sounds a lot like what you'd like to have.

For KDE's purposes you should mind that the process we employ at Akademy is so very non technical and manual because a wide range of people attend, and a good 25% of signups are happening fairly late (which is e.g. why everyone gets an organized printout instead of having attendees bring their own ;)). That doesn't necessarily exclude the possibility of a gpgparticipants list, but converting the wiki page to the final checksum-able list may be a bit tricky.