GUADEC 2008 Key Signing Party

Motivation

A Keysigning Party serves the need to build and empower a Web-of-Trust. A good paper on Keysigning Parties is on http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html.

Rules

The semantic of a signature on a GPG-Key is, that you have verified the data (like name or email address) to be correct. Most people don't sign other keys until they are convinced that the data is real. Most of the time, verification is done through personal meetings and IDs with an attached photo. That might not convince you anyway and that's perfectly fine. Please don't sign other keys if you are not convinced that the data is real.

The rough timeline is the following

  • Everybody reads her fingerprint to the people (if we have a list printed)
  • The people check whether the fingerprint matches that on the list
  • People not on the list go around and distribute their key information
  • The people convince each other that they are the ones who they claim to be, e.g. by checking IDs
  • You take your list and other key data and check at home whether they have two checkmarks (Fingerprint matches and ID matches)
  • You then sign the key (and maybe attached subkeys if you've verified their IDs as well) and send it encrypted to the email address. You don't upload the key yourself to a keyserver.

Subscription

  • Bring your key information (especially the fingerprint) on a trustworthy medium.
  • Bring at least one government issued PhotoID (it's better if you bring more than one).
  • You might want to bring a few pieces of paper with your key information.
  • Also it helps if you add your data on the following table, though it's not needed. It'll be helpful as if we are more than 50 people we'll try to print lists of the assistants.

Time & Place

TBC

Assistants

Please do not forget to bring your fingerprint on a trustworthy medium with you. You can also use gpg2ps to print nice paper sheets.

Name

e-mail

Key ID

Key fingerprint

Fingerprint matches

ID matches

Francisco Blas Izquierdo Riera (klondike)

klondike( a t )xiscosoft( d o t )es

0x51CCDAF1

75CC 7796 98BA 7DAC 96F8 48E2 5035 96C3 51CC DAF1

Germán Póo-Caamaño (gpoo)

gpoo gnome org

C129658C

6F3E 1831 D697 60DC 3FCE 7873 D619 7451 C129 658C

DiegoEscalanteUrrelo

diegoe gnome org

E86A9665

1418 D51F F346 AC1A 401E 4C94 9CD3 DCED E86A 9665

Tobias Mueller

muelli auftrags-killer org

AA208D9E

CF3E D935 AE6B DE0A D508 AF86 3EE0 57FF AA20 8D9E

Tobias Mueller

4tmuelle informatik uni-hamburg de

D3492A2A

974C F452 FDA0 99D8 CB7E 54F7 DC03 BAA3 D349 2A2A

Daniel Pisano

docpi@web.de

539DA29B

858A A88F EF6D EF7C 4E27 93E5 7F0E EF9D 539D A29B

FAQ

What is it?

A key signing party is an event on which some people meets and exchanges their GPG keys (and verify their identity) to later sign them.

Why should we join?

Actually, the only way you have to know that a person is really who he says he is whe he signs a mail (or gives you his GPG key so you can cypher a mail you are going to send him), is either by meeting him personally and checking his ID card or by trusting other people who say he is who he says to be. The first thing is evidently made by meeting face to face (as we'll do in this event), the latter by signing other people's key (thing you should only do when you really trust he is who he says to be).

The idea of this event is doing both things so you can trust after that the signatures of those you met and so others who trust you and know you won't sign everybody's key can trust (although with less confidence) his signatures too.

What'd we need

You probably want to convince other people that you are the one you claim to be on you PGP Key. Many people believe in an ID card or a driver license (with photo) although some people may ask you for other thing to verify you are who you are. Also is recommended to bring various pieces of paper on which you have previously noted your key hash, your key ID, your name or nickname and you e-mail to give them to others.

How can I get my key hash or ID

Just execute "gpg --list-secret-keys --fingerprint --keyid-format 0xshort" and look for the fingerprint field. The ID is on the first line after the slash beginning with 0x.

How can I get my key long ID

Just execute "gpg --list-secret-keys --keyid-format 0xlong". The ID is on the first line after the slash beginning with 0x.

Howto sign a key

It's actually pretty simple. You can do it either with caff (This is the recommended method as it ensure on the one hand that the email address on the key is correct, and on the other hand, that you don't upload the signed key although the to-be-signed person doesn't want that):

  • $ caff <Key_ID>

or you can do it manually:

How can I get other people's key

After editing ~/.gnupg/gpg.conf and adding the line "keyserver hkp://subkeys.pgp.net" (you can replace it with your favorite keyserver) if there isn't a keyserver line, and after that execute

  • $ gpg --recv-keys $KeyID1 $KeyID2 ...

How can I get other people's key fingerprint

After importing that key on your keyring just execute

  • $ gpg --fingerprint --list-keys $KeyID

Sign the key

  • $ gpg --sign-key <Key_ID>

export it and send it per mail

  • $ gpg --export <Key_ID> > <Key_ID>.asc

Upload your received signed key

  • $ gpg --send-key <Key_ID>

Is there a good guide on the matter

Yes, you can have a look at this guide.

Where can I get more info on the matter

Here.


CategoryGuadec

GUADEC/2008/Events/KeySigningParty (last edited 2008-07-10 04:30:47 by docpi)