17.7.2005: Debconf5

In honour of Debconf5, I'll blog in English today.

Friday afternoon I left work and went to Otaniemi to attend the international conference for Debian developers that ends today btw, you can still make it! I used as an excuse that there was to be a talk on VoIP and Asterisk, but when I came there it turns out that talk was canceled. So, that wasn't really the reason I was there anyway. I mean although I'm not a Debian user myself, far less a developer, I just couldn't miss the opportunity to see all these people and what's going on.

While there I ran into 'Frank', who had read my book and enjoyed it very much. For some reason, Frank has been given the gift of a salesman. After I'd spent 5 minutes in Smökki, he had already sold both of the books I always keep with me. Just for the pleasure of it apparently, he just can't help selling stuff to people, even when it's not his stuff. So after thinking about it, I had to take a Taxi and drive home to get more books and let him show what he can do. So it turns out the Taxi driver is crazy about Linux, although not a user himself. "I have a friend at IBM... Microsoft sucks..." and so forth. So when I go and get the books, he asks what they are about. So he wants to buy one! We figure that the trip is gonna be about 20e, so I give him a book and we call it even! Then Frank gets his hands on the rest of the books, sells 7 more, including one to a guy who doesn't even speak Finnish! Thank you Frank!!! And the taxi driver was especially funny! Good day for me and the book.

In the evening there was the keysigning party. For those that don't know, here is a short intro. For sending email securely, you can use cryptographic keys. With those keys you can a) encrypt the mail so only the receiver can open it and b) sign it with an electronic signature, so anyone can see that you actually sent and said those words. Now that the mathematicians solved that problem, there is just one more to solve however. It is known as PKI = Public Key Infrastructure. Which means, if you find a key for "Henrik Ingo", how can you be sure it actually belongs to a real person who's real name is Henrik Ingo? You don't. Unless there is some trusted authority, who gives the keys to everybody. For instance, in Finland you can get an electronic ID-card, and if you have a card reader attached to your computer, you can use that to prove your identity and sign your emails. And the recipient could check with the Police (actually, the Väestörekisterikeskus Root Certificate) that your signature is legally valid and you really are who you are. But that's just in Finland. There is no worldwide standards body or authority to take care of this. So what do you do?

You go to a key signing party. Which means, everybody just makes their own keys, without any authority. Then you meet with people face to face, say here is my passport, this is my PGP key fingerprint and then you go and sign each others keys, which means you put a mark on the other guy's key which says: "I know this person and he really is who he claims to be". Sounds impractical? It is. With this system, you'd have to meet everyone in person, before you could send them any email. And that's why PGP also let's you trust the friends of your friends, then their friends and so forth, up to a treshold you can choose. So instead of a central authority, we end up with something called the web of trust. Plus one funny thing is you can make statistics on "who's got the most friends" so to speak.

So you make a key for yourself, and try to get it signed (approved, certified) with other people. So you should go to a keysigning party. I've heard of those, but never really seen one. It was a fascinating watch, yes I didn't bring my own key, so I just watched. I'll tell all about it here.

First everybody sends their key to the organizer, which makes a convienient list of them. Then 180 people get together on the Smökki parking lot, and verify that they've all got the same list. This being cryptography (plus this being a bunch of geeks, plus them being Debian geeks) you have to make it right. So the list is signed with both an md5 and sha1 checksum. And the guy in the red T-shirt reads the checksums out loud and then you know that there are no fake lists going around. If you don't know what checksums look like, here is the first one: "e21a9f68c8257a343e99a1c3d237dfa4". Now stand up in a crowd and read out loud four of those, and you'll understand what I mean.

Then 180 people get into two lines. The lines are longer than the parking lot, but please don't tread on the flowers, they're planted here for the World Championships next month.

Then step forward and start doing it. The other guy gives you his passport and tells you which of the keys on the list is his. Then you do the same. Then both take a step left. Then repeat 179 times.

So again I'm thinking, is this really worth the trouble? They stand there about 2,5 hours, and most of this people you might never send email to. Maybe it's more of a geek ritual, where you get to systematically meet all participants in a conference? Plus you get to do something geeky together. "This is my fingerprint and the checksum was okay too. How about yours?"

And somewhere in the line, everybody gets to personally meet famous people. Finnish Linux Users Group chairman Arto Teräs, former Debian Project Leader and current HP big shot Bdale Garbee, and Debian Project Leader Branden Robinson.

But watching this going on for over 2 hours I realize, it's not just a ritual for geeks to get in thouch. It's not even a ritual for geeks to be geeky. It's something more. By standing in this line, you're participating in something. I realize now, that the PGP web of trust is not a surrogate for a central authority that we don't have. The thing is, we don't want to have a central authority! We want to have a web of trust, a web of people that have met face to face and collectively bear the task of being the certificate authority. After all, that is the way we always want to do things. That is the world we believe in! And by participating in these events, spending hours to get your key signed and signing others', you are making the web of trust stronger and bigger. Stronger so that the "authority" is stronger, because the chain of "friends of friends" has become shorter and the web more tightly knit. And bigger so that it is easier for new people to join in with their keys. In short, they are spending these hours building the world they believe in. They are building a technological solution for a world with no central authority.

It almost makes me feel bad I didn't participate. I promise to send in my key to the next key signing party. I too want to spend 2 hours building a world I believe in.

Finally, thanks to all of you because the plants survived! Btw, isn't it ironic, that within one month Otaniemi gets to first host one of the geekiest conferences in the world, and immediately after you leave, they start preparing to host the top athletes of the world. I guess it keeps the Universe in balance :-)

Anyway, thanks for coming, hope you enjoyed Finland, and welcome back.

Images by Henrik Ingo and Arto Teräs. (Public Domain just like most of the stuff on this site.)