Web of Trust (2025)

We have a hands-on workshop, so bring your laptop. You will get the most out of it if you can do the recommended reading and complete the prerequisites. But if you can't, you should still come, just sit next to someone and follow along. If you come early we can help you with the prerequisites.

Title: Web of Trust (2025)
By: Matt Borja

Summary: This industry-led session will explore tools, techniques, and procedures for building trust and securing the supply chain.

Objectives:
• Define conditions for trust
• Demonstrate signature verification
• Create a new identity for digital signing using GnuPG
• Share your public key
• Sign others' public key
• Understand the responsibility of auditing signing keys

Prerequisites:
• Latest version of GnuPG

• Linux: normally has this already installed, so bring linux if you have it
• Mac: if you are familiar with Homebrew, you can install with 'brew install gnupg'
• Windows: find downloads here: https://www.gnupg.org/download/#binary

• GitHub account with two-factor authentication configured (https://github.com)

Recommended reading:
• What does sig!3 mean?
(https://lists.gnupg.org/pipermail/gnupg-users/2004-July/022910.html)
• Validating other keys on your public keyring
(https://www.gnupg.org/gph/en/manual/x334.html)
• Sections 2.1, 2.2, 4.1, 4.7, 5.3.1, and optionally privacy considerations in section 8 of Digital Identity Guidelines, NIST SP 800-63A
(https://pages.nist.gov/800-63-3/sp800-63a.html)

Please note: Attendees will be required to acknowledge a compliance requirement set forth by U.S. Export Administration Regulations and other U.S. and foreign laws