ALE GPG Key Signing Party
(ALE Central Meeting for 7:30pm on Thursday, November 19, 2009)
Where:
Gambrell Hall Classroom 1C
Emory University School of Law
1301 Clifton Road
Atlanta, GA 30322
( Maps and Parking Info here )
When:
Thursday, November 19th, 2009:
7:30pm to 8:00pm (prompt) --> Brief Introduction to GPG
8:00pm to 9:30pm (prompt) --> Key Signing Party
We will
start the key-signing process promptly at 8:00pm.
If you wish to participate you should prepare in advance
and arrive on time.
Synopsis:
The November ALE Central meeting will be a gathering of ALE members,
friends and associates who are interested learning more about the GnuPG
implentation of PGP cryptography and the value of protecting your privacy
and your identity with PGP signatures. For those who also intend to start
using PGP (GnuPG), the subsequent key signing party serves to confirm the
identity of other PGP Key users by signing each other's keys. This establishes
a "key ring" and helps to extend the "web of trust" to a great degree.
Internationally recognized cryptography and computer security expert
Michael Warfield was set to present the GPG PGP talk and host for the
key signing party, but a badly broken leg will be preventing his physical
attendance. Instead, Michael will be cosulting behind the scenes to help
Charles Shapiro, Jeremy Bouse and Aaron Ruscetta present the
topic and run the party.
What YOU need as a participant in the
ALE Key Signing party:
Required Items for Parcipation:
- Physical presence
- Positive picture ID & second supporting form of ID
(name must align with that used for the public key) - Your PRE generated and PRE submitted Key Info:
Key ID, Key Size, Key Type & HEX fingerprint
in hard copy paper form. - A pen or pencil or whatever you'd like to write with.
- NO computer (to maintain privacy & security)
Required Process:
- Generate a key*. Remember your pass phrase!
---
To help with this, Charles Shapiro has prepared an excellent GPG Howto page
with step by step command line directions for using the gpg (gpg2) program to
generate, store, sign, register and use GPG keys.
---
*RSA/RSA Key pairs are strongly recommended. This is currently the default
for the most recent releases of GnuPG2, which is available for download and
installation on most platforms via gnupg.org (for Mac OSeX see sourceforge )
---
Other general information about GPG keys and instructions for key generation
and participating in a signing party can found at the Keysigning Party Howto
page, though some of the described party procedures and processes have been
slightly modified to suit our ALE event. General GPG FAQ links are also
included below.
--- - Perform an EXPORT of your key and email it to the key registry address.
All participants MUST send their Exported Public Key Text Block to
Michael Warfield's automated key registry at alekeyparty@wittsend.com
by Midnight (est) on Wednesday, November 18th.
--- - Michael will provide a list of all party participants with their Key info
(User ID, Type, Size and Fingerprint) and distribute copies of the
printout
at the meeting. Participants will mark their sheets as individual ID's and
Key Fingerprints are confirmed. (Michael will also establish or designate
a Key Ring Server for the final, post party step of the Key Signing Process).
--- - Participants attend the party and bring along a paper copy of their Key info.
You
must also bring along a suitable form of photo ID and a secondary supporting
form of ID. Participants will make two marks on their copy of the key ring listing,
one for confirmation of correct Key Info (User ID, Type, Size, & Fingerprint)
and one for confirmation of the personal photo ID.
--- - At the meeting each key owner reads his Key info (User ID, Type, Size, &
Fingerprint) from their own paper hard copy (NOT from the distributed
listing!).
This is because there could be an error, intended or not, on the
listing. This is also
the time to tell which ID's to sign or not. If the key
information matches a
participant's distributed Key list, they place a check-mark by that Key information.
---
- After all participants have read their key ID information, they form a line.
The first person walks down the line having every person check his ID.
The second person follows immediately behind the first person and so on.
If you are satisfied that the person is who they say they are, and
that the Key
User ID on the printout is theirs, you place another check-mark
next to their
Key information on your printout.
---
- Once the first person cycles back around to the front of the line, they
will have
checked all the other IDs and their ID will have been checked by all others.
--- - After everyone has identified themselves, the formal part of
the meeting is over.
Participants are free to travel to Melton's App and Tap to further discuss
matters
of PGP and Linux together. If
everyone is punctual the formal part of the evening
should take less than
an hour.
--- - After attending the party and confirming the key and ID information on your copy
of the list of participants, each participant must independently log into the Key Server
(that will have been designated by Michael at the party) and sign all of the keys on
your hard copy list that you have "double checked" and confirmed. Keys on your
list can only be signed if they have two check-marks!
---
- Send the signed keys back to the keyservers.
---
- Use those keys as often as possible.
Why shouldn't I bring a computer?
There are a variety of reasons, why you don't want to do this. The short
answer is it would
be insecure, unsafe, and of no benefit. For those not
convinced, here are some reasons why
t is insecure, unsafe, and of no
benefit.
- Someone might have modified the computers programs, operating system, or
hardware to steal or modify keys.
- If people are swapping disks with their keys on them the computer owner has
to worry about viruses.
- If people are carrying their secret keys with them and intend to do
the signing
at the actual meeting by typing their passphrase into a
computer, then they are
open to key-logging attacks, shoulder-surfing, etc.
- It
is much better to just exchange key details and verify ID and then do
the signing
when you get home to your own trusted computer. - Someone might spill beer on it.
- Someone might drop it or knock it off the table.
- Many more reasons that don't deserve articulating
Other questions about signing keys?
You may
want to read the Keysigning Party Howto which includes
an
explanation of the concepts behind keysigning, instructions for hosting
a keysigning party, instructions for
participating in a keysinging party,
and step by step instructions for signing other's keys.
If you're looking for quick answers you may want to look to the
questions and answers below, which all come from the PGP FAQ.
It also has a lot of
other good information.
Other useful PGP links
A few more links for PGP newbies, or those who wish to re acquaint
themselves.
What if I still have a question?
If, after reading the resources provided above, you need help with other questions,
you can (sign up for and) post your inquiries to the many informed IT professionals
of the ALE@ALE.ORG mailing list. Please include "GPG", "PGP" or "Key
Signing Party" in the Subject line.