OpenPGP key signing Party
Meet Ubuntu people face-to-face. Taunt each other over their passport/driver's license photos. Add yourself to the Web of Trust or increase your ranking
Q. Why would I want to participate? A. It is your opportunity to join and strengthen the trust networks that our community uses to establish identity
In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and a user. It is, in some respects, an alternative to centralized public key infrastructure (PKI) reliance exclusively on a certificate authority (or a hierarchy of such). As with computer networks, there are many independent webs of trust, and any user (through their identity certificate) can be a part of, and a link between, multiple webs. The web of trust concept was put forth by PGP creator Phil Zimmermann in the manual for PGP version 2.0: As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.
Please see the following links for background information:
Before you come to the Ubucon key signing party
Mandatory: Create an OpenPGP keypair for yourself (if you haven't already)
Mandatory: Print or write down your key fingerprint and bring it with you. You'll have to confirm at the signing that the list is correct for your key.
Mandatory: Send your key before the event to the pgp.mit.edu keyserver.
Mandatory: eMail your key fingerprint to firstname.lastname@example.org
Mandatory: Bring a government-issued picture ID of yourself
Optionally: add your key to Biglumber's keyring to make it easier for others to sign it / get it.
Getting your KEYID from your keyring as the part following the 1024D/ as follows:
gpg --list-secret-keys | grep sec
As an example this may look like 82A0BC01. Yours will be different.
Here is how to send your key to the keyserver with:
gpg --keyserver pgp.mit.edu --send-keys KEYID
Sending your key before the event to email@example.com as follows (where firstname.lastname@example.org is the email you used for your key):
gpg --fingerprint 'email@example.com' | mail -s "' firstname.lastname@example.org' key" email@example.com
gpg --fingerprint firstname.lastname@example.org
then cut/paste into an email to email@example.com with the subject “firstname.lastname@example.org key”
Print out this KeySignatureList of everyone's key fingerprint and bring it with you. Make sure your key is on it!
At the Key signing
- Each participant should meet up face to face with every other participant to receive their key fingerprint and examine their ID, and to give them your key fingerprint and have them examine your ID. The key signing organizer will provide direction about exactly how this is to happen. With large groups it can become very chaotic as the number of possible relationships increases exponentially with the number of participants. To keep things orderly the organizer will probably have everyone stand in a long line and then have the line fold back on itself, allowing every person to pass by every other person in turn.
- As you meet up with each person they will give you a printout of their key fingerprint and show you their ID. Examine their ID, and if you are convinced that the person standing in front of you is actually who they say they are then write 'ID OK' on their key fingerprint and initial it to prevent tampering. You then keep their key fingerprint in a safe place for later reference after the event has finished.
After the Key signing
Following the key signing, you'll need to actually sign people's keys. The easiest way to do this is to use caff which is conveniently packaged in the Ubuntu signing-party package. caff lets you sign a number of keys at once, and will then email each recipient their signed key, encrypted with their key (actually, it sends one email per UID on the target key, so those people with 10 UIDs on their key will get 10 emails from caff, but that's OK - it makes sure they control that email address too). They must know their own pass phrase to retrieve their signed key, which they can then import into their gpg keyring and upload to the key server pgp.mit.edu.
caff isn't a very friendly to desktop users (it requires a local MTA or open SMTP server) who don't know Perl. If you don't mind a little light work on the command line and use KMail, there exists a quick Python script for automated keysigning with KMail. It removes the annoying manual labor bits of the procedure described below, and sends e-mails using KMail.
- Participants retrieve the public keys of all key signing participants by fetching individual keys from public key servers.
- Participants work through their collection of signed fingerprint slips, checking the fingerprint of each key against the fingerprint on the slip and signing keys that match and are ticked for valid ID.
- Participants either upload each public key they sign to a public keyserver, or email it directly to the key owner. Some key owners prefer not to have keys sent to public keyservers so in general it is courteous to email the key directly to the owner.
- Signatures sent to each participant by other participants are imported into their local keyring.
GNu_Joe's simplified Instructions:
- Find the key ID on the fingerprint. The fingerprint will have an 8-character ID listed after the key size. Typically it looks like this: '1024D/64011A8B'. The actual ID portion is the '64011A8B'. You'll notice this is also the last 8 characters of the fingerprint itself.
Fetch the public key using the key ID. If you're running GnuPG on the command line, you can do this by typing
gpg --keyserver pgp.mit.edu --recv-keys <KeyID>(where KeyID is obviously the ID of the key you want).
Check that the fingerprint of the key you've just fetched matches the fingerprint on the slip of paper: run
gpg --fingerprint <KeyID>and compare it with the hard copy in front of you.
If (and only if) you are happy that the fingerprints match and the person showed you sufficient ID, you can do the actual 'signing' part of the process: type
gpg --sign-key <KeyID>and answer the questions it asks.
Next you need to send the signed copy of their key back to them. Now upload the signed key back to the server
gpg --keyserver pgp.mit.edu --send-key <Key_ID>
You should get back something like 'gpg: sending key <Key_ID> to hkp server pgp.mit.edu'